Digitally sign software packages

TLDR

The newest certificate used to sign software packages, "VideoLAN Release Signing Key (2013)" expired on 2014-02-03 and since then, the digital signature based verification of the integrity of downloads from VideoLAN is not effective any more.

Why

Guaranteeing the authenticity of VLC and other installation packages shows that VideoLAN makes an effort to defend the security of its users.

Some download channels manage this authenticity themselves (for example linux distros, the Microsoft "Verified publisher" scheme etc.), but for direct downloads from the VideoLAN servers, VideoLAN has chosen to provide checksums (MD5, SHA-1 and SHA-256) and detached PGP digital signatures.

Setting aside discussions about the effectiveness of crypto and the difficulties of its correct deployment, the digital signature option offers the smallest window of opportunity for an attacker to tamper with the download.

Steps to reproduce

Check the expiration date of certificates available at:

• http://download.videolan.org/pub/keys/
• http://download.videolan.org/pub/videolan/keys/

Remediation suggestion

1. Generate a new keypair of 2048 bits (not 1024 any more).
2. Create a new PGP certificate valid for 2 years (even if you stop signing with it after one year, signatures made on the last day of validity should stay valid for one more year).
3. Optional: Get the PGP certificate signed by people whose own certificates are widely trusted (for example, because they attend keysigning parties at conferences).
4. Publish the new certificate at the URLs above (which should be accessible via HTTPS, too, but that's another ticket).
5. Create detached PGP signatures for the packages of all versions that are still supported and upload them next to the software package on the download server.
6. Desirable: Advertise the integrity checking mechanism by adding next to the download buttons links to the signature file (and to checksum files). (this may be a separate ticket)