You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Scott Deboy (Created) (JIRA)" <ji...@apache.org> on 2011/10/05 01:49:34 UTC
[jira] [Created] (INFRA-3991) Request for code signing certificate
Request for code signing certificate
------------------------------------
Key: INFRA-3991
URL: https://issues.apache.org/jira/browse/INFRA-3991
Project: Infrastructure
Issue Type: New Feature
Security Level: public (Regular issues)
Reporter: Scott Deboy
The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (INFRA-3991) Request for code signing certificate
Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tony Stevenson closed INFRA-3991.
---------------------------------
Resolution: Won't Fix
Assignee: Tony Stevenson
Closing wont fix, for now. If you come up with a design that we can review and implement please feel free to open a new ticket with details.
> Request for code signing certificate
> ------------------------------------
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Reporter: Scott Deboy
> Assignee: Tony Stevenson
>
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-3991) Request for code signing
certificate
Posted by "Sam Ruby (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13399531#comment-13399531 ]
Sam Ruby commented on INFRA-3991:
---------------------------------
> maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira?
I don't think that's going to be workable. If we are going to have a "official code signing cert provided by ASF itself. ", we need to be able to certify that the results are among other things, trojan and virus free. Not too difficult for source artifacts, but a bit more involved for binary artifacts.
This will require a secure build infrastructure which is -- at a minimum -- fully audit-able by the infrastructure team. More likely it will require a secure build infrastructure which is /run/ by the infrastructure team.
When the aoo ppmc requested something similar, the infrastructure team ask the aoo ppmc to do the work of designing how such would work. Once there are concrete plans, the infrastructure team can review them and decide what next steps (if any) are to be taken.
> Request for code signing certificate
> ------------------------------------
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Reporter: Scott Deboy
>
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (INFRA-3991) Request for code signing
certificate
Posted by "Scott Deboy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13399464#comment-13399464 ]
Scott Deboy commented on INFRA-3991:
------------------------------------
I understand there are other groups also interested in support for code signing (OpenOffice for example).
Conversations are happening on infrastructure-dev, but it would be great to have a response or status tracked in Jira. Mind using this issue for that?
Thanks
> Request for code signing certificate
> ------------------------------------
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Reporter: Scott Deboy
>
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira