where are the efforts to standardize download integrity metadata? (appcasting?)

Question

I download open-source software all the time and am continually perplexed by the fact that on the one hand, so many sites (Apache, MySQL, Eclipse) give download integrity information through MD5 hashes and/or digital signatures, especially since download mirror sites are involved that are potentially vulnerable to hacker attacks, but the format of this download integrity information is human-readable and not machine-readable.

I would love it if there were a standard format for this information so I could use plugin software on my web browser to do all the dirty work for me and generate a logfile of the results, so I wouldn't have to keep having to manually run md5 and do all this extra work every time I download something. It looks like there actually are some efforts at designing formats like this e.g. "appcasting" (see also here and here and here, and what looks like the original blog here)...

...how come something like this isn't more prevalent in the open-source community? What would it take to get something like this up and running?

Answer 1

The short answer is that there is a standard method, it's called application signing. The longer answer is a bit more complicated.

With regards to the MD5 hashing idea of yours, there is at least one experimental Firefox plugin that calculates the hashes of downloaded files. You can then manually compare them. Alternatively, many sites offer downloads of text files with the precomputed hashes for their software. You can then force a check using md5sum -c < hash filename >. The problem with all these methods is that if an attacker was able to replace the file you downloaded, he could probably be able to change the hashes listed on the website.

Application signing is the official solution to this problem. It uses public key cryptography and certificate authorities in a manner similar to what is used in the SSL security standard for websites. It works by getting a digital certificate from a certificate authority. This certificate can be verified by anybody, and ensure that the holder is are who they say they are. It can also be used to 'sign' a package, which ensures that the package was produced by the holder, and not altered in any way by anyone other than the holder.

So, why don't we see better adoption of these methods? Well, they are already pretty well adopted, and mostly invisible when they work. Major operating systems and browsers use the signatures if they are available by default. Additionally, major Linux distributions sign the software packages and updates they provide using these methods. However, when it come to the smaller players, we are very unlikely to see major adoption.

The problem here is a mix of hacker poverty and hacker pride. In order to get one of these certificates, you need to pay a large sum of money to one of the certificate authorities. If they don't, a programmer can still sign their own packages without any CA's blessing. By doing this, the user who downloads the file can be sure that only the holder of the certificate touched a particular package, which meets the integrity requirement of your question.

Unfortunately, using a 'self-signed' certificate like this decreases the public confidence in your software, rather than increasing it. If you self-sign, the OS / browser complains loudly when you try to open the package; louder even than for a totally unsigned file. Because the browser or OS does not trust the software creator, it thinks that you shouldn't trust them either.

From this, the hacker complaint is why should somebody trust some faceless multinational certificate authority more than someone else? What have they ever done to prove themselves more trustworthy than everyone else?

To many people, the certificate issue boils down to extortion: "Pay us $$$ to certify you, or your downloads will be a second-rate citizens". That is why application signing has not been adopted by anybody except the biggest players.