ABSTRACT: in 2002, a series of high profile compromises of internet software servers resulted in the alteration of software archives. this prompted an evaluation of the state of trust of the signed software distribution system. over 2800 archives representing over 1400 unique software packages were downloaded and their corresponding signatures evaluated for validity. these software packages were pulled from over 260 different sites and the keys retrieved only during the verification stage. of the over 2800 archives checked, only 5 errors were found, three of which were found to be false negatives. additionally, the characteristics of the keys used to sign these archives along with the key distribution systems were studied. these findings highlight weaknesses in the signed archive distribution system and demonstrate clear vulnerabilities facing several projects.
[Hi-res - HTML] [Low-res - PS] [Low-res - PDF] [Text, English, Spanish, French - HTML]