No Excuses for No Signatures

Opinion: We all owe thanks to Peter Torr for bringing the issue of digitally signed downloads back to our attention. Microsoft loves them, but they make even more sense for open-source projects.

Every now and then a real jewel comes out of the blogosphere. You hear about it when it happens, because everyone else links to it in their own blogs. I did this recently, linking to a blog entry by Peter Torr of Microsoft.

Audacity sells, and Torr had the audacity to entitle his piece "How can I trust Firefox?" The bottom line of the article is that—unlike Microsoft downloads— Firefox is not digitally signed. How can he be sure that the file he downloads is what it purports to be? Theres more to the post, some of it significant, but Id like to focus briefly on the signature part.

For many, many years, Microsoft has supported digital signatures of files and other items such as ActiveX controls. What these signatures do is to allow a user to verify, with a very high degree of certainty, that a file is from who it purports to be from.

Firefox, needless to say, is not distributed with a signature, but Torr exposed many other weaknesses in the process for a user obtaining and installing it. Responding to an advertisement in the New York Times, he went to the advertised URL, www.getfirefox.com. This redirected him to www.mozilla.org/products/firefox, which makes a kind of sense. But the actual download proceeded from mirror.sg.depaul.edu. I just downloaded it myself and mine came from ftp.funet.fi.

.fi? Im supposed to trust this?

Why the mirrors? Microsoft may be able to throw a few zillion dollars at a problem and get some servers and some bandwidth and distribute huge files, but Firefox, like many open-source projects, relies on mirror sites for distribution. Theres nothing inherently wrong with this—its efficient in a way—but it does underscore Torrs problem, which is that he has no way to confirm that the file is what it purports to be.

One of the common responses to this issue is to claim that Microsoft doesnt sign half the things it puts out either, and to be honest, thats the way I remembered things, too. So to confirm things I went to Microsofts downloads page and downloaded what the page calls the 12 most popular downloads. Every one had a signature. I then trolled the site for obscure patches and other downloads that looked lower-key; I got eight of these and all of them were signed as well. I suppose Microsoft has, over time, gotten their signature act together.

I then went looking at other companies downloads. These were all signed by the companies that made the program:

  • The iTunes setup program
  • The Adobe Acrobat 6.0x setup program
  • The ArgoSoft Mail Server setup program
  • The AOL Instant Messenger setup program
Many other programs I use (my text editor TextPad, ActivePython, Spybot Search and Destroy—even Snood!) were not signed.

Next page: Open source and signatures.