You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Mark Thomas <ma...@apache.org> on 2014/10/14 21:09:11 UTC
Re: [Not! OFFLIST] Re: Code signing
On 14/10/2014 20:07, Mark Thomas wrote:
> On 10/10/2014 02:37, Raymond DeCampo wrote:
>> Mark,
>>
>> I've got the code running in a Maven plug in but I am running into an
>> authentication error when the service is called. I checked out the Tomcat
>> build scripts but they just have placeholders for the authentication
>> information.
>
> private static String USERNAME = "AOOAPI";
> private static String PASSWORD = "Demo1234!";
> private static String PARTNERCODE = "4615797APA95264";
And I am idiot.
I'll get Symantec to change those but for now you can use them.
Mark
>
> Enjoy!
>
> Mark
>
>
>>
>> Also, I thought I should verify some assumptions I was making. First,
>> since this is a Maven plug-in, I assumed we were interested in signing the
>> archive built by the Maven script. Is this what we want or are we signing
>> an arbitrary set of files?
>>
>> Second, and this kind of goes with the first assumption, I assumed we were
>> signing JAR files and not executables. In this case I need to know how to
>> vary the parameters to the signing service. E.g., I imagine the
>> signingServiceName would be different from "Microsoft Signing".
>>
>> Thanks,
>> Ray
>>
>> On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 23/09/2014 20:45, Raymond DeCampo wrote:
>>>> I'll see what I can glean from the WSDL
>>>
>>> That and the Tomcat code should be enough for you to figure things out.
>>>
>>> I discovered today that the production service and the test service have
>>> some minor differences. The production service needs files to have
>>> extensions else it fails to sign them. So, rather than naming the files
>>> 0,1,2 etc. the Tomcat code now retains the original file extension so
>>> the names are 0.exe,1.dll, etc.
>>>
>>>> I have joined the mailing list
>>>
>>> Excellent.
>>>
>>> Mark
>>>
>>>
>>>>
>>>> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 23/09/2014 15:20, Mark Thomas wrote:
>>>>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>>>>> Mark,
>>>>>>>
>>>>>>> Do you have any documentation on the web service that is being used to
>>>>>>> sign the code?
>>>>>>
>>>>>> I do, but it was under an NDA. Symantec were going to relax that so we
>>>>>> could share the API information. Let me check where we are with that.
>>>>>
>>>>> Hmm. Symantec are happy that any code that interacts with the API is
>>>>> public but they haven't said we can share the API doc (to be fair I
>>>>> haven't asked).
>>>>>
>>>>> For now, the WSDL is public and can be obtained here:
>>>>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>>>>
>>>>> Is that enough or do you need more? If you have specific questions I can
>>>>> answer them.
>>>>>
>>>>>> Also, I'm moving this discussion to the appropriate list -
>>>>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>>>>
>>>>> Let me know when you do, and I'll stop cc'ing you.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Mark
>>>>>
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Ray
>>>>>>>
>>>>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>>>>> <ma...@apache.org>> wrote:
>>>>>>>
>>>>>>> On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>>>> > Mark,
>>>>>>> >
>>>>>>> > I haven't coded a maven plugin before but I am willing to figure
>>>>> it out
>>>>>>> > as I have been looking for some way to contribute.
>>>>>>> >
>>>>>>> > Just dump me whatever information/code you have and I will take
>>>>> it from
>>>>>>> > there. Given you have an ANT plug in already working I don't
>>>>> anticipate
>>>>>>> > it will be too difficult.
>>>>>>>
>>>>>>> Thanks for the offer. Am I correct in thinking you aren't an
>>> Apache
>>>>>>> Committer? Getting you access to the test instance in that case
>>>>> might be
>>>>>>> a little tricky. We can cross that bridge when we come to it.
>>>>>>>
>>>>>>> The Ant task is here:
>>>>>>>
>>>>>
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>>>>
>>>>>>> It does have an issue in that it loads the Base64 of the zip of of
>>>>> the
>>>>>>> files to be signed into memory. It would be much better if it was
>>>>>>> streamed. If you fancy taking at a look at that first...
>>>>>>>
>>>>>>> > Although, I did want to ask if ASF has any existing maven
>>> plugins
>>>>> so I
>>>>>>> > can stay consistent with the established style.
>>>>>>>
>>>>>>> This is going to be an infrastructure tool and we don't have any
>>>>> Maven
>>>>>>> plugins I am aware of. To be perfectly honest I am far more
>>>>> concerned
>>>>>>> about getting something working than style.
>>>>>>>
>>>>>>> We should probably continue this on a list somewhere. Let me
>>> figure
>>>>> out
>>>>>>> which one is best.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>> >
>>>>>>> > Thanks,
>>>>>>> > Ray
>>>>>>> >
>>>>>>> >
>>>>>>> > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>>>>> <ma...@apache.org>
>>>>>>> > <mailto:markt@apache.org <ma...@apache.org>>> wrote:
>>>>>>> >
>>>>>>> > All,
>>>>>>> >
>>>>>>> > You may be aware that the ASF infra team has been working on
>>>>>>> getting a
>>>>>>> > code signing service set up.
>>>>>>> >
>>>>>>> > The test project for this is Apache Tomcat and we are at the
>>>>>>> point where
>>>>>>> > we are ready to do our first real signing. So why am I
>>> writing
>>>>>>> to the
>>>>>>> > Commons dev list? Daemon.
>>>>>>> >
>>>>>>> > Tomcat uses Commons Daemon so we'd like to build the signed
>>>>> Tomcat
>>>>>>> > release with signed Commons Daemon binaries. I have the
>>>>>>> signing for the
>>>>>>> > Tomcat build automated but the Commons one is manual for now
>>>>>>> so there
>>>>>>> > are no tools to check in.
>>>>>>> >
>>>>>>> > The ASF will eventually need a Maven plugin to do signing as
>>>>>>> part of the
>>>>>>> > build. If anyone would like volunteer (I have a simple Ant
>>>>> plug-in
>>>>>>> > written) let me know.
>>>>>>> >
>>>>>>> > Shortly I will be starting a release vote for a signed
>>>>> version of
>>>>>>> > Commons Daemon 1.0.15. This will be exactly the same as the
>>>>>>> binaries we
>>>>>>> > have already shipped apart from that the Windows binaries in
>>>>> the
>>>>>>> > packages will be signed executables. I plan to stage them
>>>>>>> alongside the
>>>>>>> > existing 1.0.15 binaries rather than replace them.
>>> Eventually,
>>>>>>> I expect
>>>>>>> > the Daemon release process to generate signed binaries.
>>>>>>> >
>>>>>>> > Any questions, just ask.
>>>>>>> >
>>>>>>> > Mark
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>>>> <ma...@commons.apache.org>
>>>>>>> > <mailto:dev-unsubscribe@commons.apache.org
>>>>>>> <ma...@commons.apache.org>>
>>>>>>> > For additional commands, e-mail:
>>> dev-help@commons.apache.org
>>>>> <ma...@commons.apache.org>
>>>>>>> > <mailto:dev-help@commons.apache.org
>>>>>>> <ma...@commons.apache.org>>
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>