You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/12/05 18:52:01 UTC
Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On the subject of signing jars, Windows binaries and .msi installer
packages, it seems that infra-dev is partial to the ability to revoke
package signatures if an artifact is not released or is found to have
been corrupted, and that the code signing service from Symantec /
VeriSign / Thawte is the way to go here.
I spoke with Richard and Dean who confirmed that this service would
be offered at no cost to the ASF. User accounts would be as one of two
roles, an administrator (root-ish) level and a publisher (committer)
who needs to sign packages. There is no integration at present for
PAM style authentication into our ldap, or SSO solution in this
specific service so we would have to create accounts for each committer
who is doing signed binary releases.
It is batch-able and can be automated. Obviously there is some work
around setting up that functionality, but it can run on the signers
own PC as opposed to a central repository. Here's a background paper
on the code signing portal itself;
http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
It is due a major revision entering(or already in?) beta. That version
introduces support for .jar signing in addition to Win binary/msi signing.
I asked and they are researching whether Apache could be invited to
participate in the beta, since we would only just be getting up to speed
by the time that portal version launches.
One major step would be for Sam, who is both our Legal VP and Infra VP,
to review the actual agreement/paperwork in detail and determine that
it would be something we are able to sign. Dean, could you forward that
to Sam, even as we all learn more about the service and come to a decision
of whether we should adopt it or not?
Dean and Richard are happy to answer any questions, here's one that
we started during a brief introductory call. They are just coming
up to speed about how we handle our infrastructure through mailing
lists, so be nice, and please remember reply-to-all if you want them
to respond!
Q. Support for JavaScript signing for frameworks like ajax?
On 12/5/2011 11:21 AM, Richard Hall wrote:
>
> I looked into the java script signing that you had asked about and it's not something that we currently do (although not to say that we couldn't do it). Is this something that you're doing today, and if so, what sign tool are you using (jar signer, Microsoft's sign tool, etc.). It's our understanding that even if we provide signing for java scripts that there is currently no way to validate this in any existing infrastructure (browsers, etc.) unless you've implemented your our own way of doing this.
>
> Thanks for any additional input you can provide.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Rob Weir <ro...@apache.org>.
On Thu, Aug 16, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:
>
>> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>>> Maybe infra-structure can give me feedback what doesn't work with these
>>> proposals. And as typical at Apache if you have concerns (-1) come up
>>> with another proposal that fulfill better the needs of infra-structure
>>
>> Infra do have veto power over PMCs with respect to solutions that
>> involve obtaining and maintaining any sort of central secret (e.g.,
>> certificate private key).
>>
>> Now, would you quit citing policies of this org to people who had been
>> Members thereof before you heard of it?
>
> One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.
>
I like the direction this is headed. One consideration is whether
every build is signed or whether this is done only on request. If
done on request we need to determine how a request is made. The more
complicated case is with security-fix related releases where there
would a need to keep the existence and timing of that release private
until the last possible opportunity.
-Rob
> Perhaps that would meet Infrastructure's approval?
>
> So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.
>
> Regards,
> Dave
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:
> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>> Maybe infra-structure can give me feedback what doesn't work with these
>> proposals. And as typical at Apache if you have concerns (-1) come up
>> with another proposal that fulfill better the needs of infra-structure
>
> Infra do have veto power over PMCs with respect to solutions that
> involve obtaining and maintaining any sort of central secret (e.g.,
> certificate private key).
>
> Now, would you quit citing policies of this org to people who had been
> Members thereof before you heard of it?
One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.
Perhaps that would meet Infrastructure's approval?
So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.
Regards,
Dave
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
> Maybe infra-structure can give me feedback what doesn't work with these
> proposals. And as typical at Apache if you have concerns (-1) come up
> with another proposal that fulfill better the needs of infra-structure
Infra do have veto power over PMCs with respect to solutions that
involve obtaining and maintaining any sort of central secret (e.g.,
certificate private key).
Now, would you quit citing policies of this org to people who had been
Members thereof before you heard of it?
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Rob,
On Wed, Aug 29, 2012 at 7:27 PM, Rob Weir <ro...@apache.org> wrote:
> ...In any case, the root page is "immutable" for me. Can someone with
> sufficient rights create the new page?...
I have created http://wiki.apache.org/general/ASFCodeSigning and made
some suggestions in there as to how to go forward.
-Bertrand
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 17, 2012 at 12:29 PM, Tony Stevenson <pc...@apache.org> wrote:
>
> On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:
>
>> wiki.a.o/general/FooSSLPageHere or some such would be fine with me.
>
As a top-level page? Or would we prefer to structure it as an
infra-dev root page and a code signing page linked from there?
In any case, the root page is "immutable" for me. Can someone with
sufficient rights create the new page?
-Rob
> Actually the more I think about it, the better this seems. Once all the proposals are ready for review please ping us and we can take it on, then. That would be infinitely easier that collating all the emails on the topic.
>
>
>
> Tony
>
> ---------------------------------------
> Tony Stevenson
>
> tony@pc-tony.com // pctony@apache.org
> tony@caret.cam.ac.uk
>
> http://blog.pc-tony.com
>
> GPG - 1024D/51047D66
> --------------------------------------
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Tony Stevenson <pc...@apache.org>.
On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:
> wiki.a.o/general/FooSSLPageHere or some such would be fine with me.
Actually the more I think about it, the better this seems. Once all the proposals are ready for review please ping us and we can take it on, then. That would be infinitely easier that collating all the emails on the topic.
Tony
---------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk
http://blog.pc-tony.com
GPG - 1024D/51047D66
--------------------------------------
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Tony Stevenson <to...@pc-tony.com>.
On 17 Aug 2012, at 12:35, Bertrand Delacretaz <bd...@apache.org> wrote:
> On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
> <wr...@rowe-clan.net> wrote:
>> ...If this proposal is also added to a Wiki, I think it will become less confusing
>> for folks to follow....
>
> Big +1, considering that it's a somewhat disjoint group of people who
> are interested in this, I would suggest that representatives of the
> projects that need this work together on a wiki page that defines
> their *requirements* (without talking about tools at first, if
> possible, or at least clearly separate the core requirements from
> tools suggestions) so that infra and others can look at that and
> attack the problem at its core.
>
wiki.a.o/general/FooSSLPageHere or some such would be fine with me.
> I assume it's fine to use this list to coordinate this requirements work.
>
> -Bertrand
Tony
---------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk
http://blog.pc-tony.com
GPG - 1024D/51047D66
--------------------------------------
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> ...If this proposal is also added to a Wiki, I think it will become less confusing
> for folks to follow....
Big +1, considering that it's a somewhat disjoint group of people who
are interested in this, I would suggest that representatives of the
projects that need this work together on a wiki page that defines
their *requirements* (without talking about tools at first, if
possible, or at least clearly separate the core requirements from
tools suggestions) so that infra and others can look at that and
attack the problem at its core.
I assume it's fine to use this list to coordinate this requirements work.
-Bertrand
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 8/16/2012 1:25 PM, Om wrote:
> On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:
>
>> Tony,
>>
>> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
>> proposal: [1]
>> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
>> original proposal so that it works for Apache Flex as well: [2]
>>
>> Can you please take a look at let me know if this works and what else
>> needs to be answered?
>>
>> Thanks,
>> Om
>>
>> [1] http://markmail.org/message/2xx5ia72b6xestur
>> [2] http://markmail.org/message/chupjp5tsuosiu23
>>
>>
> Before this gets buried, I want to highlight the current proposals on the
> table and ask for feedback. If we get feedback, we will be able to move
> forward.
If this proposal is also added to a Wiki, I think it will become less confusing
for folks to follow.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Om <bi...@gmail.com>.
On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:
> Tony,
>
> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
> proposal: [1]
> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
> original proposal so that it works for Apache Flex as well: [2]
>
> Can you please take a look at let me know if this works and what else
> needs to be answered?
>
> Thanks,
> Om
>
> [1] http://markmail.org/message/2xx5ia72b6xestur
> [2] http://markmail.org/message/chupjp5tsuosiu23
>
>
Before this gets buried, I want to highlight the current proposals on the
table and ask for feedback. If we get feedback, we will be able to move
forward.
Thanks,
Om
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Om <bi...@gmail.com>.
Tony,
On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
proposal: [1]
On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
original proposal so that it works for Apache Flex as well: [2]
Can you please take a look at let me know if this works and what else needs
to be answered?
Thanks,
Om
[1] http://markmail.org/message/2xx5ia72b6xestur
[2] http://markmail.org/message/chupjp5tsuosiu23
On Wed, Aug 15, 2012 at 3:20 PM, Tony Stevenson <pc...@apache.org> wrote:
>
>
> Sent from my iPad
>
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>
> > On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >
> >>
> >> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>
> >> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>
> >>> Hi Dave,
> >>>
> >>> Our hosted signing service does not currently provide the ability to
> sign
> >>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>> website:
> >>>
> >>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>
> >>> Would this work for you? Please let us know if you have any questions.
> >>>
> >>> Thanks,
> >>>
> >>> Rich
> >>>
> >>>
> >> Rich,
> >>
> >> This would work perfectly fine for us.
> >>
> >>
> >> Om,
> >>
> >> And now the question is for the Apache Infrastructure team. Assuming
> that
> >> an apache.org certificate for signing AIr applications is purchased The
> >> ASF how will it be handled? And that is the other thread.
> >>
> >> Thanks,
> >> Dave
> >>
> >>
> > Do we know if there has been any work/discussion on this? We are
> preparing
> > our installer app for release and valid certificate would be very good to
> > have.
> >
> > What should I (or infra) do to get this certificate approved and
> purchased
> > for us by us? How can I help speed up this process?
> >
> > Thanks,
> > Om
>
>
> Om,
>
> We, infra, are still waiting for someone to come to us with a proposal on
> how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
>
> Unto, we are receipt of such, and we have had a chance to review the same
> we won't be purchasing any such certificate, and no project should be going
> direct to any supplier to do the same. There are very real concerns we have
> and we want to see them fully addressed before proceeding.
>
> To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
On Aug 16, 2012, at 12:08 AM, Jürgen Schmidt wrote:
> On 8/16/12 1:38 AM, Dave Fisher wrote:
>> Hi Tony,
>>
>> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
>>
>> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
>>
> it can be a duplicate image of the Windows build bot where the
> certificate is installed. The builds have to be triggered by someone who
> have access to this machine. But we can of course automate it probably
> to simply start a script and give a revision as input
Exactly.
>
>
>> I think that Flex will want both Windows and Mac buildbots as well.
>
> AOO in the future as well
Andrew is waiting for the Mac buildbot - here is the buildbot master JIRA for AOO - INFRA-4197 More Buildbots for Apache OpenOffice
>
>>
>> INFRA-4902 Create Mac buildbot
>>
>> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
>
> What exactly are your problems, which system do you use, Mountian Lion?
> Until today I am note aware that anybody has built AOO on Mountain Lion
> and even on Lion it requires some work. Apple/MacOS is not really
> developer friendly if you don't walk inside the "closed" Apple world ;-)
I've got past this issue. cpan had its permissions changed removing the a+x.
I had to upgrade LWP::UserAgent in cpan. cpan install only saw I had LWP::UserAgent and this was missing the show_progress method.
I'm on MacOSX 10.6.8
>
>>
>> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)
>
> that's true, signing from Apple or from a developer with a official and
> register Apple developer ID. I haven't analyzed the signing process on
> Mountain Lion in detail so far but that is on the list.
My newer Mac is on Lion w/a free Mountain Lion upgrade, but I haven't had the free time to move everything around as I need more backup disk space first.
And yes this is a detail.
>
> Juergen
>
>>
>> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
>>
>> Regards,
>> Dave
>>
>> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>>
>>>
>>>
>>> Sent from my iPad
>>>
>>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>>
>>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>>
>>>>>
>>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>>
>>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>>
>>>>>> Hi Dave,
>>>>>>
>>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>>> website:
>>>>>>
>>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>>
>>>>>> Would this work for you? Please let us know if you have any questions.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Rich
>>>>>>
>>>>>>
>>>>> Rich,
>>>>>
>>>>> This would work perfectly fine for us.
>>>>>
>>>>>
>>>>> Om,
>>>>>
>>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>>> an apache.org certificate for signing AIr applications is purchased The
>>>>> ASF how will it be handled? And that is the other thread.
>>>>>
>>>>> Thanks,
>>>>> Dave
>>>>>
>>>>>
>>>> Do we know if there has been any work/discussion on this? We are preparing
>>>> our installer app for release and valid certificate would be very good to
>>>> have.
>>>>
>>>> What should I (or infra) do to get this certificate approved and purchased
>>>> for us by us? How can I help speed up this process?
>>>>
>>>> Thanks,
>>>> Om
>>>
>>>
>>> Om,
>>>
>>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>>>
>>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding.
>>>
>>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
>>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Jürgen Schmidt <jo...@gmail.com>.
On 8/16/12 1:38 AM, Dave Fisher wrote:
> Hi Tony,
>
> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
>
> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
>
it can be a duplicate image of the Windows build bot where the
certificate is installed. The builds have to be triggered by someone who
have access to this machine. But we can of course automate it probably
to simply start a script and give a revision as input
> I think that Flex will want both Windows and Mac buildbots as well.
AOO in the future as well
>
> INFRA-4902 Create Mac buildbot
>
> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
What exactly are your problems, which system do you use, Mountian Lion?
Until today I am note aware that anybody has built AOO on Mountain Lion
and even on Lion it requires some work. Apple/MacOS is not really
developer friendly if you don't walk inside the "closed" Apple world ;-)
>
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)
that's true, signing from Apple or from a developer with a official and
register Apple developer ID. I haven't analyzed the signing process on
Mountain Lion in detail so far but that is on the list.
Juergen
>
> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
>
> Regards,
> Dave
>
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>
>>
>>
>> Sent from my iPad
>>
>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>
>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>
>>>>
>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>
>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>
>>>>> Hi Dave,
>>>>>
>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>> website:
>>>>>
>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>
>>>>> Would this work for you? Please let us know if you have any questions.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Rich
>>>>>
>>>>>
>>>> Rich,
>>>>
>>>> This would work perfectly fine for us.
>>>>
>>>>
>>>> Om,
>>>>
>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>> an apache.org certificate for signing AIr applications is purchased The
>>>> ASF how will it be handled? And that is the other thread.
>>>>
>>>> Thanks,
>>>> Dave
>>>>
>>>>
>>> Do we know if there has been any work/discussion on this? We are preparing
>>> our installer app for release and valid certificate would be very good to
>>> have.
>>>
>>> What should I (or infra) do to get this certificate approved and purchased
>>> for us by us? How can I help speed up this process?
>>>
>>> Thanks,
>>> Om
>>
>>
>> Om,
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>>
>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding.
>>
>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Scott Deboy <sc...@gmail.com>.
Chainsaw also has a need to deliver a Mac image (DMG) as well as signed
jars for web start deployment. I assume the DMG would need the same
support mentioned for Mountain Lion.
Scott
On Wed, Aug 15, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:
> Hi Tony,
>
> The bounds are very tight. I thought that Jürgen was pretty clear about
> how the reality of the current build makes it difficult to create a bot to
> do this. His proposal is essentially special buildbots under infra's
> control.
>
> Perhaps if AOO had all the various requested buildbots we might figure out
> how to make the proposed special buildbot that only infra can control
> because it has these special certificates.
>
> I think that Flex will want both Windows and Mac buildbots as well.
>
> INFRA-4902 Create Mac buildbot
>
> (I just entered perl / cpan hell and going into time machine due to a
> missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working
> buildbot would have caught this issue.)
>
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others.
> (It's what I hear on the street, am I wrong Dean and Richard?)
>
> Does it make sense to proceed with platforms that are needed for CI and
> where the signing solution would possibly "live."
>
> Regards,
> Dave
>
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>
> >
> >
> > Sent from my iPad
> >
> > On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> >
> >> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >>
> >>>
> >>> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>>
> >>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>>
> >>>> Hi Dave,
> >>>>
> >>>> Our hosted signing service does not currently provide the ability to
> sign
> >>>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>>> website:
> >>>>
> >>>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>>
> >>>> Would this work for you? Please let us know if you have any
> questions.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Rich
> >>>>
> >>>>
> >>> Rich,
> >>>
> >>> This would work perfectly fine for us.
> >>>
> >>>
> >>> Om,
> >>>
> >>> And now the question is for the Apache Infrastructure team. Assuming
> that
> >>> an apache.org certificate for signing AIr applications is purchased
> The
> >>> ASF how will it be handled? And that is the other thread.
> >>>
> >>> Thanks,
> >>> Dave
> >>>
> >>>
> >> Do we know if there has been any work/discussion on this? We are
> preparing
> >> our installer app for release and valid certificate would be very good
> to
> >> have.
> >>
> >> What should I (or infra) do to get this certificate approved and
> purchased
> >> for us by us? How can I help speed up this process?
> >>
> >> Thanks,
> >> Om
> >
> >
> > Om,
> >
> > We, infra, are still waiting for someone to come to us with a proposal
> on how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
> >
> > Unto, we are receipt of such, and we have had a chance to review the
> same we won't be purchasing any such certificate, and no project should be
> going direct to any supplier to do the same. There are very real concerns
> we have and we want to see them fully addressed before proceeding.
> >
> > To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
Hi Tony,
The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
I think that Flex will want both Windows and Mac buildbots as well.
INFRA-4902 Create Mac buildbot
(I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)
Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
Regards,
Dave
On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>
>
> Sent from my iPad
>
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>>>
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>>
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>
>>>> Would this work for you? Please let us know if you have any questions.
>>>>
>>>> Thanks,
>>>>
>>>> Rich
>>>>
>>>>
>>> Rich,
>>>
>>> This would work perfectly fine for us.
>>>
>>>
>>> Om,
>>>
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>> Do we know if there has been any work/discussion on this? We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>>
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us? How can I help speed up this process?
>>
>> Thanks,
>> Om
>
>
> Om,
>
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding.
>
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Jürgen Schmidt <jo...@gmail.com>.
On 8/16/12 12:20 AM, Tony Stevenson wrote:
>
>
> Sent from my iPad
>
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>>>
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>>
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>
>>>> Would this work for you? Please let us know if you have any questions.
>>>>
>>>> Thanks,
>>>>
>>>> Rich
>>>>
>>>>
>>> Rich,
>>>
>>> This would work perfectly fine for us.
>>>
>>>
>>> Om,
>>>
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>> Do we know if there has been any work/discussion on this? We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>>
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us? How can I help speed up this process?
>>
>> Thanks,
>> Om
>
>
> Om,
>
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding.
>
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
>
It's possible that I completely misunderstand you but I think that I
have provided 2 proposals how such a process can be handled by the
example of AOO. And I offered my help to setup for example a special
build machine (1 of my proposals).
I have also explained in detail how complex it is in case of AOO and
that it is a 2 step process.
Maybe infra-structure can give me feedback what doesn't work with these
proposals. And as typical at Apache if you have concerns (-1) come up
with another proposal that fulfill better the needs of infra-structure
and of course the projects who need the signing process. I have thought
about it and discussed it with some colleagues and we have no better
proposal so far.
But we should really drive this forward. If it comes out that it is not
possible at all, we should figure out if it is possible to find an
external sponsor for a certificate that we can use to sign the binaries.
Regards
Juergen
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 8/16/2012 7:52 AM, Mark Thomas wrote:
>
> I suggest you read the entire thread and then consider offering the
> Infra team generally and Tony specifically an apology.
I have, there is a pdf whitepaper in the archives that Tony can refer
back to, if he were interested. We have iterated the logic on any
number of occassions in the past year, and I spelled out exactly my
logic on dropping an offer of building an incomplete code signing
service on ASF hardware. We simply cannot provide the same detail
and control that the Symantec plan offers.
There are two further interactions with Symantec on this subject, one
is for Sam in a position of authority or another to approach Symantec
for the precise details of their offer. The other is to gather the
implementation details and I suspect that beta access to this service
is going to be required to determine how all the bits can be married
together across various build systems, including Maven.
I'm going to attribute his claim that nobody has provided any detailed
proposal to email overload and a request for collecting that data on
some wiki.
Sorry Tony. Please point me to the wiki you wish me to use to gather
the relevant email-archived details?
> Om & Dave Fisher asked about siging Adobe Air applications
>
> Richard Hall stated that the Symantec signing service *does not* support
> Adobe Air but that a code signing cert could be made available.
>
> Om asked if there has been any progress.
>
> Tony replied (again) that a concrete proposal needs to be made for an
> ASF hosted signing service for infrastructure to consider. Some ideas
> have been floated but there has not yet been a proposal in sufficient
> level of detail for infrastructure to evaluate.
>
> The Symantec service may solve some problems but it is not a panacea.
Agreed in part (Apple being a huge enigma). But if Apple certs are per
Apple ADC developer, we have far fewer issues that dealing with org sigs.
This becomes the equivalent of GPG keys.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Mark Thomas <ma...@apache.org>.
On 16/08/2012 06:38, William A. Rowe Jr. wrote:
> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.
>
> In the Symantec proposal, each artifact is individually audited and
> revocable. Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this). Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.
>
> The most sensical proposal is in front of your face, so your statement
> is completely crap.
Bill,
I suggest you read the entire thread and then consider offering the
Infra team generally and Tony specifically an apology.
Om & Dave Fisher asked about siging Adobe Air applications
Richard Hall stated that the Symantec signing service *does not* support
Adobe Air but that a code signing cert could be made available.
Om asked if there has been any progress.
Tony replied (again) that a concrete proposal needs to be made for an
ASF hosted signing service for infrastructure to consider. Some ideas
have been floated but there has not yet been a proposal in sufficient
level of detail for infrastructure to evaluate.
The Symantec service may solve some problems but it is not a panacea.
Mark
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Tony Stevenson <pc...@apache.org>.
On 16 Aug 2012, at 06:38, "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
>
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.
What offers? Use Symantec? Thats hardly a detailed proposal as we have stated we want.
> In the Symantec proposal, each artifact is individually audited and
> revocable. Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this). Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.
Interesting, why has no one mentioned this level of detail before? Where is the detailed proposal around this offering? We are not just going to allow projects to say 'lets use Symantec (as good, or as poor as their offering may be) - we'll figure out the details later'. We have been very clear about this from day one.
All we have asked for is a detailed proposal (which I don't take your email to be as such). That we will review and decide on thereafter.
> The most sensical proposal is in front of your face, so your statement
> is completely crap.
Take your acrimonious pain in the ass attitude and use it somewhere more sensible please Bill.
Cheers,
Tony
---------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk
http://blog.pc-tony.com
GPG - 1024D/51047D66
--------------------------------------
Tony
---------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk
http://blog.pc-tony.com
GPG - 1024D/51047D66
--------------------------------------
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
I don't know how it's possible for infra to remain so deaf and ignorant
to the offers on the table.
In the Symantec proposal, each artifact is individually audited and
revocable. Admin rights remain entirely in infra root's hands (given
some basic trust to the agency which issues most every code signing
certificate, every trust model has some issues like this). Committers
continue to generate artifacts as they always have and are accountable
for the bits they sign with ASF credentials, without ever possessing
the keys to sign arbitrary objects outside of the auditable schema.
The most sensical proposal is in front of your face, so your statement
is completely crap.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Tony Stevenson <pc...@apache.org>.
Sent from my iPad
On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>
>>
>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>
>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>
>>> Hi Dave,
>>>
>>> Our hosted signing service does not currently provide the ability to sign
>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>> website:
>>>
>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>
>>> Would this work for you? Please let us know if you have any questions.
>>>
>>> Thanks,
>>>
>>> Rich
>>>
>>>
>> Rich,
>>
>> This would work perfectly fine for us.
>>
>>
>> Om,
>>
>> And now the question is for the Apache Infrastructure team. Assuming that
>> an apache.org certificate for signing AIr applications is purchased The
>> ASF how will it be handled? And that is the other thread.
>>
>> Thanks,
>> Dave
>>
>>
> Do we know if there has been any work/discussion on this? We are preparing
> our installer app for release and valid certificate would be very good to
> have.
>
> What should I (or infra) do to get this certificate approved and purchased
> for us by us? How can I help speed up this process?
>
> Thanks,
> Om
Om,
We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up.
Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding.
To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Om <bi...@gmail.com>.
On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Jul 19, 2012, at 11:16 AM, Om wrote:
>
> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>
>> Hi Dave,
>>
>> Our hosted signing service does not currently provide the ability to sign
>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>> website:
>>
>> http://www.symantec.com/verisign/code-signing/adobe-air
>>
>> Would this work for you? Please let us know if you have any questions.
>>
>> Thanks,
>>
>> Rich
>>
>>
> Rich,
>
> This would work perfectly fine for us.
>
>
> Om,
>
> And now the question is for the Apache Infrastructure team. Assuming that
> an apache.org certificate for signing AIr applications is purchased The
> ASF how will it be handled? And that is the other thread.
>
> Thanks,
> Dave
>
>
Do we know if there has been any work/discussion on this? We are preparing
our installer app for release and valid certificate would be very good to
have.
What should I (or infra) do to get this certificate approved and purchased
for us by us? How can I help speed up this process?
Thanks,
Om
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
On Jul 19, 2012, at 11:16 AM, Om wrote:
> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com> wrote:
> Hi Dave,
>
> Our hosted signing service does not currently provide the ability to sign Air applications, but we do offer Code Signing certs for Adobe Air from our website:
>
> http://www.symantec.com/verisign/code-signing/adobe-air
>
> Would this work for you? Please let us know if you have any questions.
>
> Thanks,
>
> Rich
>
>
> Rich,
>
> This would work perfectly fine for us.
Om,
And now the question is for the Apache Infrastructure team. Assuming that an apache.org certificate for signing AIr applications is purchased The ASF how will it be handled? And that is the other thread.
Thanks,
Dave
>
> Thanks,
> Om
> Apache Flex PPMC Member
>
> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
>
>
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
>
> > Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> > list history... if I missed your earlier reply I apologize in advance.
>
> Gentlemen,
>
> The Apache Flex podling would like to sign AIR applications as well:
>
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>
> Thanks for your consideration,
> Dave
>
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> >> case for reasons already spelled out on the list. As I was designing the
> >> svn <-> signing service, I was actually laying it out that I myself would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> >> the individual bits in that package, and refold it back into a .cab (and
> >> nested back into the .msi, which is then itself signed). The same could
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an organization having
> >> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> >> individual or department keys? Last I understood, only a single org code
> >> signing cert would be made available. We have approx 12 RM's at the ASF today
> >> would would like to begin signing packages, if one key/cert can be tied into one
> >> individual committer. Or (in this case) can "O=Apache Open Office" be its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I would
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides for batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .msi
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Om <bi...@gmail.com>.
On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
> Hi Dave,
>
> Our hosted signing service does not currently provide the ability to sign
> Air applications, but we do offer Code Signing certs for Adobe Air from our
> website:
>
> http://www.symantec.com/verisign/code-signing/adobe-air
>
> Would this work for you? Please let us know if you have any questions.
>
> Thanks,
>
> Rich
>
>
Rich,
This would work perfectly fine for us.
Thanks,
Om
Apache Flex PPMC Member
> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
>
>
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
>
> > Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> > list history... if I missed your earlier reply I apologize in advance.
>
> Gentlemen,
>
> The Apache Flex podling would like to sign AIR applications as well:
>
>
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>
> Thanks for your consideration,
> Dave
>
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup
> bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it
> makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in
> any
> >> case for reasons already spelled out on the list. As I was designing
> the
> >> svn <-> signing service, I was actually laying it out that I myself
> would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign
> all
> >> the individual bits in that package, and refold it back into a .cab (and
> >> nested back into the .msi, which is then itself signed). The same could
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each
> individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an
> organization having
> >> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open
> Office"
> >> individual or department keys? Last I understood, only a single org
> code
> >> signing cert would be made available. We have approx 12 RM's at the
> ASF today
> >> would would like to begin signing packages, if one key/cert can be tied
> into one
> >> individual committer. Or (in this case) can "O=Apache Open Office" be
> its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I would
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides for
> batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App
> Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly. The minimum cert size for
> any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .msi
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Richard Hall <Ri...@symantec.com>.
Hi Dave,
Our hosted signing service does not currently provide the ability to sign Air applications, but we do offer Code Signing certs for Adobe Air from our website:
http://www.symantec.com/verisign/code-signing/adobe-air
Would this work for you? Please let us know if you have any questions.
Thanks,
Rich
-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net]
Sent: Wednesday, July 18, 2012 7:12 PM
To: infrastructure-dev@apache.org
Cc: Dean Coclin; Richard Hall
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
> Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> list history... if I missed your earlier reply I apologize in advance.
Gentlemen,
The Apache Flex podling would like to sign AIR applications as well:
http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
Thanks for your consideration,
Dave
>
> Bill
>
> On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
>> Q's for Dean inline;
>>
>> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>>
>>> sorry for jumping in but I hope that a short question is allowed.
>>
>> [Yes, that's why we launched the thread here for anyone interested in
>> signing ASF binary objects.]
>>
>>> I am currently investigating in a reliable code signing process for
>>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>>> and especially the upcoming Windows 8.
>>>
>>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>>> build, package the files in an msi/setup etc., sign the final setup bits
>>> and finally sign a downloadable self extracting exe.
>>>
>>> Because of the huge size and the many many files I believe that it makes
>>> most sense to have a certificate on a dedicated build machine.
>>
>> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
>> case for reasons already spelled out on the list. As I was designing the
>> svn <-> signing service, I was actually laying it out that I myself would
>> never have access to that key myself.
>>
>> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
>> the individual bits in that package, and refold it back into a .cab (and
>> nested back into the .msi, which is then itself signed). The same could
>> be true for a Java .jar (.zip) binaries collection.
>>
>>
>> Dean, a few additional questions for you from these thoughts;
>>
>> Can the code signing service accept a rolled up .msi or .jar (.zip) and
>> sign multiple embedded bits?
>>
>> Is the logic out there for 'batching' a bunch of files together?
>>
>> In either case, will a single 'signing key' be used, or will each individual
>> artifact be individually signed?
>>
>> Can .msi or .jar packages themselves be signed through the service?
>>
>> And finally, has anything changed in the past year about an organization having
>> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
>> individual or department keys? Last I understood, only a single org code
>> signing cert would be made available. We have approx 12 RM's at the ASF today
>> would would like to begin signing packages, if one key/cert can be tied into one
>> individual committer. Or (in this case) can "O=Apache Open Office" be its own
>> signing key?
>>
>>> But anyway whatever process in the end is working and possible, I would
>>> like to ask if it is possible to get some kind of test certificate to
>>> improve our testing.
>>
>> Or, perhaps test-integrate with the signing service, if it provides for batch
>> submission?
>>
>>> My self signed certificate created with makecert is 1024 bit only and I
>>> have read that a code signing cert have to be at least 2024 bits. I
>>> don't know if that makes a difference in the Windows 8 App Certification
>>> Kit.
>>
>> First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
>> reliable cryptography is 2048 bits today (measured as an RSA style key,
>> obviously DSS/DH and ECC use different logic and different 'safe' key
>> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
>> but I won't be holding my breath on that one :)
>>
>> Secondly, any pointers to local test signing certs for binaries and .msi
>> packages on windows would be very helpful to me as well.
>>
>>> I think AOO with currently >6million downloads (since May 8th) can be a
>>> good promotion for Symantec when people notice where the certificate
>>> comes from.
>>
>> +1 :)
>>
>>
>>
>>
>>
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
> Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> list history... if I missed your earlier reply I apologize in advance.
Gentlemen,
The Apache Flex podling would like to sign AIR applications as well:
http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
Thanks for your consideration,
Dave
>
> Bill
>
> On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
>> Q's for Dean inline;
>>
>> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>>
>>> sorry for jumping in but I hope that a short question is allowed.
>>
>> [Yes, that's why we launched the thread here for anyone interested in
>> signing ASF binary objects.]
>>
>>> I am currently investigating in a reliable code signing process for
>>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>>> and especially the upcoming Windows 8.
>>>
>>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>>> build, package the files in an msi/setup etc., sign the final setup bits
>>> and finally sign a downloadable self extracting exe.
>>>
>>> Because of the huge size and the many many files I believe that it makes
>>> most sense to have a certificate on a dedicated build machine.
>>
>> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
>> case for reasons already spelled out on the list. As I was designing the
>> svn <-> signing service, I was actually laying it out that I myself would
>> never have access to that key myself.
>>
>> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
>> the individual bits in that package, and refold it back into a .cab (and
>> nested back into the .msi, which is then itself signed). The same could
>> be true for a Java .jar (.zip) binaries collection.
>>
>>
>> Dean, a few additional questions for you from these thoughts;
>>
>> Can the code signing service accept a rolled up .msi or .jar (.zip) and
>> sign multiple embedded bits?
>>
>> Is the logic out there for 'batching' a bunch of files together?
>>
>> In either case, will a single 'signing key' be used, or will each individual
>> artifact be individually signed?
>>
>> Can .msi or .jar packages themselves be signed through the service?
>>
>> And finally, has anything changed in the past year about an organization having
>> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
>> individual or department keys? Last I understood, only a single org code
>> signing cert would be made available. We have approx 12 RM's at the ASF today
>> would would like to begin signing packages, if one key/cert can be tied into one
>> individual committer. Or (in this case) can "O=Apache Open Office" be its own
>> signing key?
>>
>>> But anyway whatever process in the end is working and possible, I would
>>> like to ask if it is possible to get some kind of test certificate to
>>> improve our testing.
>>
>> Or, perhaps test-integrate with the signing service, if it provides for batch
>> submission?
>>
>>> My self signed certificate created with makecert is 1024 bit only and I
>>> have read that a code signing cert have to be at least 2024 bits. I
>>> don't know if that makes a difference in the Windows 8 App Certification
>>> Kit.
>>
>> First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
>> reliable cryptography is 2048 bits today (measured as an RSA style key,
>> obviously DSS/DH and ECC use different logic and different 'safe' key
>> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
>> but I won't be holding my breath on that one :)
>>
>> Secondly, any pointers to local test signing certs for binaries and .msi
>> packages on windows would be very helpful to me as well.
>>
>>> I think AOO with currently >6million downloads (since May 8th) can be a
>>> good promotion for Symantec when people notice where the certificate
>>> comes from.
>>
>> +1 :)
>>
>>
>>
>>
>>
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Richard, Dean, can you provide any insight? I just reviewed the infra-dev
list history... if I missed your earlier reply I apologize in advance.
Bill
On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> Q's for Dean inline;
>
> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>
>> sorry for jumping in but I hope that a short question is allowed.
>
> [Yes, that's why we launched the thread here for anyone interested in
> signing ASF binary objects.]
>
>> I am currently investigating in a reliable code signing process for
>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>> and especially the upcoming Windows 8.
>>
>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>> build, package the files in an msi/setup etc., sign the final setup bits
>> and finally sign a downloadable self extracting exe.
>>
>> Because of the huge size and the many many files I believe that it makes
>> most sense to have a certificate on a dedicated build machine.
>
> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> case for reasons already spelled out on the list. As I was designing the
> svn <-> signing service, I was actually laying it out that I myself would
> never have access to that key myself.
>
> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> the individual bits in that package, and refold it back into a .cab (and
> nested back into the .msi, which is then itself signed). The same could
> be true for a Java .jar (.zip) binaries collection.
>
>
> Dean, a few additional questions for you from these thoughts;
>
> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> sign multiple embedded bits?
>
> Is the logic out there for 'batching' a bunch of files together?
>
> In either case, will a single 'signing key' be used, or will each individual
> artifact be individually signed?
>
> Can .msi or .jar packages themselves be signed through the service?
>
> And finally, has anything changed in the past year about an organization having
> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> individual or department keys? Last I understood, only a single org code
> signing cert would be made available. We have approx 12 RM's at the ASF today
> would would like to begin signing packages, if one key/cert can be tied into one
> individual committer. Or (in this case) can "O=Apache Open Office" be its own
> signing key?
>
>> But anyway whatever process in the end is working and possible, I would
>> like to ask if it is possible to get some kind of test certificate to
>> improve our testing.
>
> Or, perhaps test-integrate with the signing service, if it provides for batch
> submission?
>
>> My self signed certificate created with makecert is 1024 bit only and I
>> have read that a code signing cert have to be at least 2024 bits. I
>> don't know if that makes a difference in the Windows 8 App Certification
>> Kit.
>
> First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
> reliable cryptography is 2048 bits today (measured as an RSA style key,
> obviously DSS/DH and ECC use different logic and different 'safe' key
> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
> but I won't be holding my breath on that one :)
>
> Secondly, any pointers to local test signing certs for binaries and .msi
> packages on windows would be very helpful to me as well.
>
>> I think AOO with currently >6million downloads (since May 8th) can be a
>> good promotion for Symantec when people notice where the certificate
>> comes from.
>
> +1 :)
>
>
>
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Q's for Dean inline;
On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>
> sorry for jumping in but I hope that a short question is allowed.
[Yes, that's why we launched the thread here for anyone interested in
signing ASF binary objects.]
> I am currently investigating in a reliable code signing process for
> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> and especially the upcoming Windows 8.
>
> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> build, package the files in an msi/setup etc., sign the final setup bits
> and finally sign a downloadable self extracting exe.
>
> Because of the huge size and the many many files I believe that it makes
> most sense to have a certificate on a dedicated build machine.
Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
case for reasons already spelled out on the list. As I was designing the
svn <-> signing service, I was actually laying it out that I myself would
never have access to that key myself.
On the other hand, I was designing it to unfold a .cab (or .msi), sign all
the individual bits in that package, and refold it back into a .cab (and
nested back into the .msi, which is then itself signed). The same could
be true for a Java .jar (.zip) binaries collection.
Dean, a few additional questions for you from these thoughts;
Can the code signing service accept a rolled up .msi or .jar (.zip) and
sign multiple embedded bits?
Is the logic out there for 'batching' a bunch of files together?
In either case, will a single 'signing key' be used, or will each individual
artifact be individually signed?
Can .msi or .jar packages themselves be signed through the service?
And finally, has anything changed in the past year about an organization having
OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
individual or department keys? Last I understood, only a single org code
signing cert would be made available. We have approx 12 RM's at the ASF today
would would like to begin signing packages, if one key/cert can be tied into one
individual committer. Or (in this case) can "O=Apache Open Office" be its own
signing key?
> But anyway whatever process in the end is working and possible, I would
> like to ask if it is possible to get some kind of test certificate to
> improve our testing.
Or, perhaps test-integrate with the signing service, if it provides for batch
submission?
> My self signed certificate created with makecert is 1024 bit only and I
> have read that a code signing cert have to be at least 2024 bits. I
> don't know if that makes a difference in the Windows 8 App Certification
> Kit.
First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
reliable cryptography is 2048 bits today (measured as an RSA style key,
obviously DSS/DH and ECC use different logic and different 'safe' key
sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
but I won't be holding my breath on that one :)
Secondly, any pointers to local test signing certs for binaries and .msi
packages on windows would be very helpful to me as well.
> I think AOO with currently >6million downloads (since May 8th) can be a
> good promotion for Symantec when people notice where the certificate
> comes from.
+1 :)
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Cottlehuber <da...@muse.net.nz>.
On 27 June 2012 19:21, William A. Rowe Jr. <wr...@rowe-clan.net> wrote:
> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>
>> sorry for jumping in but I hope that a short question is allowed.
>
> [Yes, that's why we launched the thread here for anyone interested in
> signing ASF binary objects.]
>
>> I am currently investigating in a reliable code signing process for
>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>> and especially the upcoming Windows 8.
I've not investigated this yet but would like to do this for CouchDB too. Unless
there's a better way to get involved/stay updated I'll just watch this thread.
A+
Dave
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Jürgen Schmidt <jo...@googlemail.com>.
Hi Willaim,
I don't know if Dean is on the infra-dev list subscribed, probably not.
Means your answer will not reach Dean.
On 6/27/12 7:21 PM, William A. Rowe Jr. wrote:
> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>
>> sorry for jumping in but I hope that a short question is allowed.
>
> [Yes, that's why we launched the thread here for anyone interested in
> signing ASF binary objects.]
>
>> I am currently investigating in a reliable code signing process for
>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>> and especially the upcoming Windows 8.
>>
>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>> build, package the files in an msi/setup etc., sign the final setup bits
>> and finally sign a downloadable self extracting exe.
>>
>> Because of the huge size and the many many files I believe that it makes
>> most sense to have a certificate on a dedicated build machine.
>
> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> case for reasons already spelled out on the list. As I was designing the
> svn <-> signing service, I was actually laying it out that I myself would
> never have access to that key myself.
>
> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> the individual bits in that package, and refold it back into a .cab (and
> nested back into the .msi, which is then itself signed). The same could
> be true for a Java .jar (.zip) binaries collection.
I see it more practical, we have several installation packages and we
support many languages and hopefully even more in the future. I talk not
about a few MBs only but GBs and a much more complicate process at all.
And of copurse I don't see really a problem to share for example a pfx
file + passcode between different persons who are responsible for the
signing part. And ideally each project is responsible for it's own cert
to limit the risk to the project.
I think everything at Apache is based on trust and I think people
understand the security issues. We talked about a serious and trustful
handling of the certificate and nobody talked about a broader sharing.
>
>
> Dean, a few additional questions for you from these thoughts;
>
> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> sign multiple embedded bits?
>
> Is the logic out there for 'batching' a bunch of files together?
>
> In either case, will a single 'signing key' be used, or will each individual
> artifact be individually signed?
>
> Can .msi or .jar packages themselves be signed through the service?
>
> And finally, has anything changed in the past year about an organization having
> OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> individual or department keys? Last I understood, only a single org code
> signing cert would be made available. We have approx 12 RM's at the ASF today
> would would like to begin signing packages, if one key/cert can be tied into one
> individual committer. Or (in this case) can "O=Apache Open Office" be its own
> signing key?
>
>> But anyway whatever process in the end is working and possible, I would
>> like to ask if it is possible to get some kind of test certificate to
>> improve our testing.
>
> Or, perhaps test-integrate with the signing service, if it provides for batch
> submission?
>
>> My self signed certificate created with makecert is 1024 bit only and I
>> have read that a code signing cert have to be at least 2024 bits. I
>> don't know if that makes a difference in the Windows 8 App Certification
>> Kit.
>
> First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
> reliable cryptography is 2048 bits today (measured as an RSA style key,
> obviously DSS/DH and ECC use different logic and different 'safe' key
> sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
> but I won't be holding my breath on that one :)
I was saying that I don't know if the MS testing app for Windows 8
checks the certificates in detail and if it makes a difference here. I
never wanted to use a 1024 bit cert in reality ;-)
Juergen
>
> Secondly, any pointers to local test signing certs for binaries and .msi
> packages on windows would be very helpful to me as well.
>
>> I think AOO with currently >6million downloads (since May 8th) can be a
>> good promotion for Symantec when people notice where the certificate
>> comes from.
>
> +1 :)
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>
> sorry for jumping in but I hope that a short question is allowed.
[Yes, that's why we launched the thread here for anyone interested in
signing ASF binary objects.]
> I am currently investigating in a reliable code signing process for
> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> and especially the upcoming Windows 8.
>
> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> build, package the files in an msi/setup etc., sign the final setup bits
> and finally sign a downloadable self extracting exe.
>
> Because of the huge size and the many many files I believe that it makes
> most sense to have a certificate on a dedicated build machine.
Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
case for reasons already spelled out on the list. As I was designing the
svn <-> signing service, I was actually laying it out that I myself would
never have access to that key myself.
On the other hand, I was designing it to unfold a .cab (or .msi), sign all
the individual bits in that package, and refold it back into a .cab (and
nested back into the .msi, which is then itself signed). The same could
be true for a Java .jar (.zip) binaries collection.
Dean, a few additional questions for you from these thoughts;
Can the code signing service accept a rolled up .msi or .jar (.zip) and
sign multiple embedded bits?
Is the logic out there for 'batching' a bunch of files together?
In either case, will a single 'signing key' be used, or will each individual
artifact be individually signed?
Can .msi or .jar packages themselves be signed through the service?
And finally, has anything changed in the past year about an organization having
OU subordinate keys? E.g. "O=Apache Software Foundation,OU=Apache Open Office"
individual or department keys? Last I understood, only a single org code
signing cert would be made available. We have approx 12 RM's at the ASF today
would would like to begin signing packages, if one key/cert can be tied into one
individual committer. Or (in this case) can "O=Apache Open Office" be its own
signing key?
> But anyway whatever process in the end is working and possible, I would
> like to ask if it is possible to get some kind of test certificate to
> improve our testing.
Or, perhaps test-integrate with the signing service, if it provides for batch
submission?
> My self signed certificate created with makecert is 1024 bit only and I
> have read that a code signing cert have to be at least 2024 bits. I
> don't know if that makes a difference in the Windows 8 App Certification
> Kit.
First off, 1024 is not 21'st +10y friendly. The minimum cert size for any
reliable cryptography is 2048 bits today (measured as an RSA style key,
obviously DSS/DH and ECC use different logic and different 'safe' key
sizes). If you believe the US NIST, 2048 is going to hold us till 2030,
but I won't be holding my breath on that one :)
Secondly, any pointers to local test signing certs for binaries and .msi
packages on windows would be very helpful to me as well.
> I think AOO with currently >6million downloads (since May 8th) can be a
> good promotion for Symantec when people notice where the certificate
> comes from.
+1 :)
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Jürgen Schmidt <jo...@googlemail.com>.
On 6/27/12 2:49 PM, Dean Coclin wrote:
> Yes, we are still the correct people.
>
Hi Dean,
sorry for jumping in but I hope that a short question is allowed.
I am currently investigating in a reliable code signing process for
Apache OpenOffice (AOO) to become a good citizen in the Windows world
and especially the upcoming Windows 8.
AOO is bigger and we have to sign a lot of *.dll and *.exe during the
build, package the files in an msi/setup etc., sign the final setup bits
and finally sign a downloadable self extracting exe.
Because of the huge size and the many many files I believe that it makes
most sense to have a certificate on a dedicated build machine.
But anyway whatever process in the end is working and possible, I would
like to ask if it is possible to get some kind of test certificate to
improve our testing.
My self signed certificate created with makecert is 1024 bit only and I
have read that a code signing cert have to be at least 2024 bits. I
don't know if that makes a difference in the Windows 8 App Certification
Kit.
I think AOO with currently >6million downloads (since May 8th) can be a
good promotion for Symantec when people notice where the certificate
comes from.
Juergen
> Dean
>
> -----Original Message-----
> From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net]
> Sent: Tuesday, June 26, 2012 5:38 PM
> To: Richard Hall; Dean Coclin; Tony Stevenson (Apache)
> Cc: infrastructure-dev@apache.org; Sam Ruby
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
>
> On 6/25/2012 5:33 PM, William A. Rowe Jr. wrote:
>> Since the subject of signing packages has reappeared, I'd ask the
>> infra team and those RM's looking to sign bits to review this proposal once
>> again.
>>
>>> One major step would be for Sam, who is both our Legal VP and Infra
>>> VP, to review the actual agreement/paperwork in detail and determine
>>> that it would be something we are able to sign. Dean, could you
>>> forward that to Sam, even as we all learn more about the service and
>>> come to a decision of whether we should adopt it or not?
>>>
>>> Dean and Richard are happy to answer any questions, here's one that
>>> we started during a brief introductory call. They are just coming up
>>> to speed about how we handle our infrastructure through mailing
>>> lists, so be nice, and please remember reply-to-all if you want them
>>> to respond!
>
> Dean, Richard,
>
> are you still the best contacts to speak to about the logistics of setting up
> the ASF with the Symantec's code signing service? Tony (cc'ed) would like to
> directly discuss the particulars with you on behalf of the ASF Infrastructure
> team.
>
> Warmly,
>
> Bill
>
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dean Coclin <De...@symantec.com>.
Yes, we are still the correct people.
Dean
-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net]
Sent: Tuesday, June 26, 2012 5:38 PM
To: Richard Hall; Dean Coclin; Tony Stevenson (Apache)
Cc: infrastructure-dev@apache.org; Sam Ruby
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On 6/25/2012 5:33 PM, William A. Rowe Jr. wrote:
> Since the subject of signing packages has reappeared, I'd ask the
> infra team and those RM's looking to sign bits to review this proposal once
> again.
>
>> One major step would be for Sam, who is both our Legal VP and Infra
>> VP, to review the actual agreement/paperwork in detail and determine
>> that it would be something we are able to sign. Dean, could you
>> forward that to Sam, even as we all learn more about the service and
>> come to a decision of whether we should adopt it or not?
>>
>> Dean and Richard are happy to answer any questions, here's one that
>> we started during a brief introductory call. They are just coming up
>> to speed about how we handle our infrastructure through mailing
>> lists, so be nice, and please remember reply-to-all if you want them
>> to respond!
Dean, Richard,
are you still the best contacts to speak to about the logistics of setting up
the ASF with the Symantec's code signing service? Tony (cc'ed) would like to
directly discuss the particulars with you on behalf of the ASF Infrastructure
team.
Warmly,
Bill
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 6/25/2012 5:33 PM, William A. Rowe Jr. wrote:
> Since the subject of signing packages has reappeared, I'd ask the infra team
> and those RM's looking to sign bits to review this proposal once again.
>
>> One major step would be for Sam, who is both our Legal VP and Infra VP,
>> to review the actual agreement/paperwork in detail and determine that
>> it would be something we are able to sign. Dean, could you forward that
>> to Sam, even as we all learn more about the service and come to a decision
>> of whether we should adopt it or not?
>>
>> Dean and Richard are happy to answer any questions, here's one that
>> we started during a brief introductory call. They are just coming
>> up to speed about how we handle our infrastructure through mailing
>> lists, so be nice, and please remember reply-to-all if you want them
>> to respond!
Dean, Richard,
are you still the best contacts to speak to about the logistics of setting
up the ASF with the Symantec's code signing service? Tony (cc'ed) would
like to directly discuss the particulars with you on behalf of the ASF
Infrastructure team.
Warmly,
Bill
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Since the subject of signing packages has reappeared, I'd ask the infra team
and those RM's looking to sign bits to review this proposal once again.
Given that a sig can be invalidated after the fact, the attached discussion
is probably moot - simply sign the bits for the release candidate, and if
rev 1.1.x isn't approved, sign the next rev 1.1.x+1 package and invalidate
the original signature on 1.1.x binaries. That should work, shouldn't it?
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> On the subject of signing jars, Windows binaries and .msi installer
> packages, it seems that infra-dev is partial to the ability to revoke
> package signatures if an artifact is not released or is found to have
> been corrupted, and that the code signing service from Symantec /
> VeriSign / Thawte is the way to go here.
>
> I spoke with Richard and Dean who confirmed that this service would
> be offered at no cost to the ASF. User accounts would be as one of two
> roles, an administrator (root-ish) level and a publisher (committer)
> who needs to sign packages. There is no integration at present for
> PAM style authentication into our ldap, or SSO solution in this
> specific service so we would have to create accounts for each committer
> who is doing signed binary releases.
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>
> It is due a major revision entering(or already in?) beta. That version
> introduces support for .jar signing in addition to Win binary/msi signing.
> I asked and they are researching whether Apache could be invited to
> participate in the beta, since we would only just be getting up to speed
> by the time that portal version launches.
>
> One major step would be for Sam, who is both our Legal VP and Infra VP,
> to review the actual agreement/paperwork in detail and determine that
> it would be something we are able to sign. Dean, could you forward that
> to Sam, even as we all learn more about the service and come to a decision
> of whether we should adopt it or not?
>
> Dean and Richard are happy to answer any questions, here's one that
> we started during a brief introductory call. They are just coming
> up to speed about how we handle our infrastructure through mailing
> lists, so be nice, and please remember reply-to-all if you want them
> to respond!
>
>
> Q. Support for JavaScript signing for frameworks like ajax?
>
> On 12/5/2011 11:21 AM, Richard Hall wrote:
>>
>> I looked into the java script signing that you had asked about and it's not something that we currently do (although not to say that we couldn't do it). Is this something that you're doing today, and if so, what sign tool are you using (jar signer, Microsoft's sign tool, etc.). It's our understanding that even if we provide signing for java scripts that there is currently no way to validate this in any existing infrastructure (browsers, etc.) unless you've implemented your our own way of doing this.
>>
>> Thanks for any additional input you can provide.
>
>
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by sebb <se...@gmail.com>.
On 5 December 2011 19:41, William A. Rowe Jr. <wr...@apache.org> wrote:
> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>>
>> It is batch-able and can be automated. Obviously there is some work
>> around setting up that functionality, but it can run on the signers
>> own PC as opposed to a central repository. Here's a background paper
>> on the code signing portal itself;
>>
>> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>
> Dean, FYI this pdf is pretty trashed by my up-to-date Acrobat reader.
> Wondering if you know of any alternative formats?
Maybe you need an alternative PDF reader - it loads fine in Sumatra
PDF 1.7 on Win/XP!
I see 4 pages which all seem readable to me.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@apache.org>.
On 1/19/2012 1:49 PM, William A. Rowe Jr. wrote:
>
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it. Because the ASF is very close to releasing
... httpd 2.4.0 I'd love to make that a first crack at this process.
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@apache.org>.
On 1/19/2012 1:52 PM, Benson Margulies wrote:
> Did something get lost from this message? It seems to have important
> pieces missing.
Howso? You read the posts last month, right?
This was a general observation about the .pdf that accompanied the
code signing offer.
Discussion is in the archives under Dec 5. Attached for your
convenience.
Did you mean to drop thawte/symantec from your question?
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Benson Margulies <bi...@gmail.com>.
Did something get lost from this message? It seems to have important
pieces missing.
On Thu, Jan 19, 2012 at 2:49 PM, William A. Rowe Jr. <wr...@apache.org> wrote:
> Taking a closer look at pg 3...
>
> We will need to consider how this differs from our traditional
> method of signing. The flowchart is fairly clear. It appears
> that at any given time authorized users can upload an object
> for signing, and obtain back either a dev, test or release signed
> package.
>
> The question is, for our purposes, will we simply jump straight
> to the release signed package for voting? Or do we want to take
> advantage of that test flavor?
>
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it. Because the ASF is very close to releasing
>
> Any updates on the new .jar signing service features now that we
> are in 2012?
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
On Mar 2, 2012, at 12:35 PM, Dave Cottlehuber wrote:
> On 2 March 2012 19:21, Dave Fisher <da...@comcast.net> wrote:
>> Hi,
>>
>> The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.
>>
>> Is this process going forward? If so, what would the PPMC / IPMC need to do?
>>
>> We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.
>>
>> Best Regards,
>> Dave
>>
>> On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:
>
> I'm also still interested - can we help out in any way?
It looks like we need to digitally sign .exe files as well.
Regards,
Dave
>
> A+
> Dave
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Cottlehuber <da...@muse.net.nz>.
On 2 March 2012 19:21, Dave Fisher <da...@comcast.net> wrote:
> Hi,
>
> The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.
>
> Is this process going forward? If so, what would the PPMC / IPMC need to do?
>
> We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.
>
> Best Regards,
> Dave
>
> On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:
I'm also still interested - can we help out in any way?
A+
Dave
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Fisher <da...@comcast.net>.
Hi,
The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.
Is this process going forward? If so, what would the PPMC / IPMC need to do?
We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.
Best Regards,
Dave
On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:
> On 19 January 2012 20:49, William A. Rowe Jr. <wr...@apache.org> wrote:
>> Taking a closer look at pg 3...
>>
>> We will need to consider how this differs from our traditional
>> method of signing. The flowchart is fairly clear. It appears
>> that at any given time authorized users can upload an object
>> for signing, and obtain back either a dev, test or release signed
>> package.
>>
>> The question is, for our purposes, will we simply jump straight
>> to the release signed package for voting? Or do we want to take
>> advantage of that test flavor?
>>
>> Perhaps we'll have to put it in motion, either as a beta experiment
>> or simply adopt it. Because the ASF is very close to releasing
>>
>> Any updates on the new .jar signing service features now that we
>> are in 2012?
>
> I'm happy to try out the 2-phase process if there's a need for it in
> the ASF in general. For CouchDB purposes, it will be sufficient to
> sign directly - it will be a significant improvement over where we are
> today.
>
> A+
> Dave
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dave Cottlehuber <da...@muse.net.nz>.
On 19 January 2012 20:49, William A. Rowe Jr. <wr...@apache.org> wrote:
> Taking a closer look at pg 3...
>
> We will need to consider how this differs from our traditional
> method of signing. The flowchart is fairly clear. It appears
> that at any given time authorized users can upload an object
> for signing, and obtain back either a dev, test or release signed
> package.
>
> The question is, for our purposes, will we simply jump straight
> to the release signed package for voting? Or do we want to take
> advantage of that test flavor?
>
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it. Because the ASF is very close to releasing
>
> Any updates on the new .jar signing service features now that we
> are in 2012?
I'm happy to try out the 2-phase process if there's a need for it in
the ASF in general. For CouchDB purposes, it will be sufficient to
sign directly - it will be a significant improvement over where we are
today.
A+
Dave
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Richard Hall <Ri...@symantec.com>.
Hi -
We often allow multiple choices during the signing process. Test signings are typically either issued off of a different Root (untrusted) or issued off the same Root with a small window of validity (such as 3 days). Test signings do not usually require any testing (they are signed immediately), whereas Production signings *could* require testing which would need approval/rejection before the signing occurs.
The .jar signing service is committed in our next release and will be available on Feb. 13th.
I hope that helps.
Regards,
-Rich
-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@apache.org]
Sent: Thursday, January 19, 2012 2:50 PM
To: infrastructure-dev@apache.org; Richard Hall; Dean Coclin; Sam Ruby
Subject: RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Taking a closer look at pg 3...
We will need to consider how this differs from our traditional method of signing. The flowchart is fairly clear. It appears that at any given time authorized users can upload an object for signing, and obtain back either a dev, test or release signed package.
The question is, for our purposes, will we simply jump straight to the release signed package for voting? Or do we want to take advantage of that test flavor?
Perhaps we'll have to put it in motion, either as a beta experiment or simply adopt it. Because the ASF is very close to releasing
Any updates on the new .jar signing service features now that we are in 2012?
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@apache.org>.
Taking a closer look at pg 3...
We will need to consider how this differs from our traditional
method of signing. The flowchart is fairly clear. It appears
that at any given time authorized users can upload an object
for signing, and obtain back either a dev, test or release signed
package.
The question is, for our purposes, will we simply jump straight
to the release signed package for voting? Or do we want to take
advantage of that test flavor?
Perhaps we'll have to put it in motion, either as a beta experiment
or simply adopt it. Because the ASF is very close to releasing
Any updates on the new .jar signing service features now that we
are in 2012?
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
I'll try again new file on a different box
Sent from my Verizon Wireless 4GLTE Phone
-----Original message-----
From: Dean Coclin <De...@symantec.com>
To: "William A. Rowe Jr." <wr...@apache.org>,
"infrastructure-dev@apache.org" <in...@apache.org>
Cc: Richard Hall <Ri...@symantec.com>, Sam Ruby
<ru...@intertwingly.net>
Sent: Mon, Dec 5, 2011 22:33:20 GMT+00:00
Subject: RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Hi Bill,
Not sure what you mean? I just opened it with Adobe Reader X and it opens
fine.
Also open fine within the browser window. I've enclosed the pdf here.
Dean
-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@apache.org]
Sent: Monday, December 05, 2011 2:42 PM
To: infrastructure-dev@apache.org
Cc: Richard Hall; Dean Coclin; Sam Ruby
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code
> -signing-portal.pdf
Dean, FYI this pdf is pretty trashed by my up-to-date Acrobat reader.
Wondering if you know of any alternative formats?
RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Dean Coclin <De...@symantec.com>.
Hi Bill,
Not sure what you mean? I just opened it with Adobe Reader X and it opens
fine.
Also open fine within the browser window. I've enclosed the pdf here.
Dean
-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@apache.org]
Sent: Monday, December 05, 2011 2:42 PM
To: infrastructure-dev@apache.org
Cc: Richard Hall; Dean Coclin; Sam Ruby
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code
> -signing-portal.pdf
Dean, FYI this pdf is pretty trashed by my up-to-date Acrobat reader.
Wondering if you know of any alternative formats?
Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@apache.org>.
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
Dean, FYI this pdf is pretty trashed by my up-to-date Acrobat reader.
Wondering if you know of any alternative formats?
Re: [Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Brett Porter <br...@apache.org>.
On 15/12/2011, at 9:31 AM, William A. Rowe Jr. wrote:
> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>> On the subject of signing jars, Windows binaries and .msi installer
>> packages, it seems that infra-dev is partial to the ability to revoke
>> package signatures if an artifact is not released or is found to have
>> been corrupted, and that the code signing service from Symantec /
>> VeriSign / Thawte is the way to go here.
>>
>> I spoke with Richard and Dean who confirmed that this service would
>> be offered at no cost to the ASF. User accounts would be as one of two
>> roles, an administrator (root-ish) level and a publisher (committer)
>> who needs to sign packages. There is no integration at present for
>> PAM style authentication into our ldap, or SSO solution in this
>> specific service so we would have to create accounts for each committer
>> who is doing signed binary releases.
>>
>> It is batch-able and can be automated. Obviously there is some work
>> around setting up that functionality, but it can run on the signers
>> own PC as opposed to a central repository. Here's a background paper
>> on the code signing portal itself;
>>
>> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>>
>> It is due a major revision entering(or already in?) beta. That version
>> introduces support for .jar signing in addition to Win binary/msi signing.
>> I asked and they are researching whether Apache could be invited to
>> participate in the beta, since we would only just be getting up to speed
>> by the time that portal version launches.
>>
>> One major step would be for Sam, who is both our Legal VP and Infra VP,
>> to review the actual agreement/paperwork in detail and determine that
>> it would be something we are able to sign. Dean, could you forward that
>> to Sam, even as we all learn more about the service and come to a decision
>> of whether we should adopt it or not?
>
> What say we?
>
> Has everyone interested had an opportunity to raise any questions already?
>
> I'm +1 here, this seems like the straightest line, and I would love to start
> investigating how to automate using their API. I'd like to see if we can't
> jump aboard their beta for .jar signing, too.
>
> Are those interested in .jar signing/ant, maven integration ready to take
> a look at this?
I'm interested, but a bit short on time. If it did get set up I could probably help with those things though.
- Brett
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter
[Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> On the subject of signing jars, Windows binaries and .msi installer
> packages, it seems that infra-dev is partial to the ability to revoke
> package signatures if an artifact is not released or is found to have
> been corrupted, and that the code signing service from Symantec /
> VeriSign / Thawte is the way to go here.
>
> I spoke with Richard and Dean who confirmed that this service would
> be offered at no cost to the ASF. User accounts would be as one of two
> roles, an administrator (root-ish) level and a publisher (committer)
> who needs to sign packages. There is no integration at present for
> PAM style authentication into our ldap, or SSO solution in this
> specific service so we would have to create accounts for each committer
> who is doing signed binary releases.
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>
> It is due a major revision entering(or already in?) beta. That version
> introduces support for .jar signing in addition to Win binary/msi signing.
> I asked and they are researching whether Apache could be invited to
> participate in the beta, since we would only just be getting up to speed
> by the time that portal version launches.
>
> One major step would be for Sam, who is both our Legal VP and Infra VP,
> to review the actual agreement/paperwork in detail and determine that
> it would be something we are able to sign. Dean, could you forward that
> to Sam, even as we all learn more about the service and come to a decision
> of whether we should adopt it or not?
What say we?
Has everyone interested had an opportunity to raise any questions already?
I'm +1 here, this seems like the straightest line, and I would love to start
investigating how to automate using their API. I'd like to see if we can't
jump aboard their beta for .jar signing, too.
Are those interested in .jar signing/ant, maven integration ready to take
a look at this?