Hi,
My 2¢ on signing binaries.
To sign an application means that you attach a private key to the application. A key is a big number. When the application is about to run, the Operating System (OS - e.g., Windoze, MacOuze, Linux) will try to verify the key by using a public key (another big number) according to some algorithm. If that succeeds, then the OS may decide to trust that the application isn’t malicious, if the public key is trusted. That typically means that there’s a chain of trust that leads back to the OS provider (via signed certificates).
Now, a private key is … well … private. That means only a single person (or small group of persons) have access to it. In terms of software signing, that means that the developer, or developer group, has the private key.
That also means that if software A is built by someone other than the developers, then they cannot sign the built binary application, since they do no have access to the private key. Thus, the application isn’t the same as the original.
VASSAL is OpenSource Software (OSS - licensed under the GNU Lesser General Public License 2.1 - AKA LGPL-2.1 - see the LICENSE
file in the distribution - which you already read right?). One of the promises made by OSS is that the original developers do not have particular privilege over the software - anyone can pick it up, modify it, expand upon it, fix problems, tailor it to their needs (think VASL). Another promise is that you can always audit the code yourself (or get someone you trust to do it), so that you can satisfy yourself that the software isn’t malicious.
Code signing sort of goes against the first idea (no privilged position). If VASSAL developers signed the application, then it would put them in a privileged position.
Now what are the ramifications of signing or not signing
- an OS may completely reject applications that have not been signed with a trusted key (iOS for example - which is how the Führer von Appfel can hold a tight grip on the dominions)
- an OS may sandbox an unsigned application meaning it will not be able to access resources outside of a well-defined boundary. This could be done to ensure that an unsigned application cannot access sensitive (think net-banking) communications via security holes in the OS (buffer overflows, etc. - something Windoze is pretty littered with). Alternatively, an OS could decide to not allow some signed and unsigned applications to run at the same time.
- Other OSs may decide to trust the users to make informed decisions, and only set up (de-centralised) signing and certificates on the distribution side (most Linux distros).
- A signed application is no guarantee against malicious code. To ensure an application is not malicious - by design or otherwise - some one has to audit the code in minute detail. Who that someone is is to some extent the crux of the problem. in OSS, it is essentially the end users or their agents. The idea being that “given enough eyes, all bugs [and vulnerabilities] are shallow.” to slightly paraphrase E.S.Raimond. In the proprietary world it is often left to some third party who may or may not have the best of intentions, which is wholly opaque to the end user.
Finally, to get your signature approved (signed by other authority) is typically a rather expensive thing to do. Given that the benefits are small - at least for OSS and something like VASSAL, it makes sense not to incur that cost.
Yours,
Christian