You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2007/08/30 08:47:15 UTC
[board feedback] Signing Java Jars
The board took up this subject briefly at our Aug 29th meeting. Below is
the board's feedback;
Marshall Schor wrote:
>
> Apache signing, to my knowledge, doesn't require use of a certificate
> authority.
Apache projects post trusted signatories in a KEYS or equivalent file within
the http://www.apache.org/dist/{project}/ distribution location. You may
also advertise any key within the http://people.apache.org/ committers view
by following the instructions on that site for maintaining your .foaf entry.
PGP keys should also be registered at the pgp.mit.edu keyserver, and we ask
you to countersign one anothers' keys at an appropriate event, such as the
ApacheCon key signing events.
However, the board considers any personal signing mechanism to be equivalent
and appropriate. So signing a tarball with your PGP key, or a jar with your
Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert
would all be equivalent. Simply document the trusted certificates in the
appropriate distribution/download directories, and preferably include some
short comments or instructions for users to obtain/validate the signatures
of packages they download.
> I'd be interested to learn if others have gone down the Java JAR signing
> path, and if so,
> - is it considered an OK alternative to Apache signing,
Source tarballs should still be signed with your pgp key. Binaries can
be signed (as appropriate) with your code signing certificate as necessary.
> - how did you get a certificate authority to verify ownership of your
> signing key
If this becomes a frequently used approach and proves to be an issue, the
board will take up the issue of considering obtaining a signing authority
certificate and signing individual certificates at some point in the future,
once a specific proposal is brought to us.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [board feedback] Signing Java Jars
Posted by Frank Bille <fr...@apache.org>.
Note taken :)
Frank
On 8/30/07, Martijn Dashorst <ma...@gmail.com> wrote:
>
> An interesting response to a question asked on the incubator list
> (general@) regarding signing releases. If you are a prospected release
> manager, take note!
>
> Martijn
>
> ---------- Forwarded message ----------
> From: William A. Rowe, Jr. <wr...@rowe-clan.net>
> Date: Aug 30, 2007 8:47 AM
> Subject: [board feedback] Signing Java Jars
> To: general@incubator.apache.org
>
>
> The board took up this subject briefly at our Aug 29th meeting. Below is
> the board's feedback;
>
> Marshall Schor wrote:
> >
> > Apache signing, to my knowledge, doesn't require use of a certificate
> > authority.
>
> Apache projects post trusted signatories in a KEYS or equivalent file
> within
> the http://www.apache.org/dist/{project}/ distribution location. You may
> also advertise any key within the http://people.apache.org/ committers
> view
> by following the instructions on that site for maintaining your .foaf
> entry.
>
> PGP keys should also be registered at the pgp.mit.edu keyserver, and we
> ask
> you to countersign one anothers' keys at an appropriate event, such as the
> ApacheCon key signing events.
>
> However, the board considers any personal signing mechanism to be
> equivalent
> and appropriate. So signing a tarball with your PGP key, or a jar with
> your
> Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert
> would all be equivalent. Simply document the trusted certificates in the
> appropriate distribution/download directories, and preferably include some
> short comments or instructions for users to obtain/validate the signatures
> of packages they download.
>
> > I'd be interested to learn if others have gone down the Java JAR signing
> > path, and if so,
> > - is it considered an OK alternative to Apache signing,
>
> Source tarballs should still be signed with your pgp key. Binaries can
> be signed (as appropriate) with your code signing certificate as
> necessary.
>
> > - how did you get a certificate authority to verify ownership of your
> > signing key
>
> If this becomes a frequently used approach and proves to be an issue, the
> board will take up the issue of considering obtaining a signing authority
> certificate and signing individual certificates at some point in the
> future,
> once a specific proposal is brought to us.
>
> Bill
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
>
> --
> Buy Wicket in Action: http://manning.com/dashorst
> Apache Wicket 1.3.0-beta3 is released
> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-beta3/
>
Fwd: [board feedback] Signing Java Jars
Posted by Martijn Dashorst <ma...@gmail.com>.
An interesting response to a question asked on the incubator list
(general@) regarding signing releases. If you are a prospected release
manager, take note!
Martijn
---------- Forwarded message ----------
From: William A. Rowe, Jr. <wr...@rowe-clan.net>
Date: Aug 30, 2007 8:47 AM
Subject: [board feedback] Signing Java Jars
To: general@incubator.apache.org
The board took up this subject briefly at our Aug 29th meeting. Below is
the board's feedback;
Marshall Schor wrote:
>
> Apache signing, to my knowledge, doesn't require use of a certificate
> authority.
Apache projects post trusted signatories in a KEYS or equivalent file within
the http://www.apache.org/dist/{project}/ distribution location. You may
also advertise any key within the http://people.apache.org/ committers view
by following the instructions on that site for maintaining your .foaf entry.
PGP keys should also be registered at the pgp.mit.edu keyserver, and we ask
you to countersign one anothers' keys at an appropriate event, such as the
ApacheCon key signing events.
However, the board considers any personal signing mechanism to be equivalent
and appropriate. So signing a tarball with your PGP key, or a jar with your
Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert
would all be equivalent. Simply document the trusted certificates in the
appropriate distribution/download directories, and preferably include some
short comments or instructions for users to obtain/validate the signatures
of packages they download.
> I'd be interested to learn if others have gone down the Java JAR signing
> path, and if so,
> - is it considered an OK alternative to Apache signing,
Source tarballs should still be signed with your pgp key. Binaries can
be signed (as appropriate) with your code signing certificate as necessary.
> - how did you get a certificate authority to verify ownership of your
> signing key
If this becomes a frequently used approach and proves to be an issue, the
board will take up the issue of considering obtaining a signing authority
certificate and signing individual certificates at some point in the future,
once a specific proposal is brought to us.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
--
Buy Wicket in Action: http://manning.com/dashorst
Apache Wicket 1.3.0-beta3 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-beta3/