RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@apache.org>]

Taking a closer look at pg 3...

We will need to consider how this differs from our traditional
method of signing.  The flowchart is fairly clear.  It appears
that at any given time authorized users can upload an object
for signing, and obtain back either a dev, test or release signed
package.

The question is, for our purposes, will we simply jump straight
to the release signed package for voting?  Or do we want to take
advantage of that test flavor?

Perhaps we'll have to put it in motion, either as a beta experiment
or simply adopt it.  Because the ASF is very close to releasing

Any updates on the new .jar signing service features now that we
are in 2012?

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@apache.org>]

On 1/19/2012 1:49 PM, William A. Rowe Jr. wrote:
> 
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it.  Because the ASF is very close to releasing

... httpd 2.4.0 I'd love to make that a first crack at this process.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@apache.org>]

On 1/19/2012 1:52 PM, Benson Margulies wrote:
> Did something get lost from this message? It seems to have important
> pieces missing.

Howso?  You read the posts last month, right?

This was a general observation about the .pdf that accompanied the
code signing offer.

Discussion is in the archives under Dec 5.  Attached for your
convenience.

Did you mean to drop thawte/symantec from your question?

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Benson Margulies <bi...@gmail.com>]

Did something get lost from this message? It seems to have important
pieces missing.

On Thu, Jan 19, 2012 at 2:49 PM, William A. Rowe Jr. <wr...@apache.org> wrote:
> Taking a closer look at pg 3...
>
> We will need to consider how this differs from our traditional
> method of signing.  The flowchart is fairly clear.  It appears
> that at any given time authorized users can upload an object
> for signing, and obtain back either a dev, test or release signed
> package.
>
> The question is, for our purposes, will we simply jump straight
> to the release signed package for voting?  Or do we want to take
> advantage of that test flavor?
>
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it.  Because the ASF is very close to releasing
>
> Any updates on the new .jar signing service features now that we
> are in 2012?

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Mar 2, 2012, at 12:35 PM, Dave Cottlehuber wrote:

> On 2 March 2012 19:21, Dave Fisher <da...@comcast.net> wrote:
>> Hi,
>> 
>> The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.
>> 
>> Is this process going forward? If so, what would the PPMC / IPMC need to do?
>> 
>> We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.
>> 
>> Best Regards,
>> Dave
>> 
>> On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:
> 
> I'm also still interested - can we help out in any way?

It looks like we need to digitally sign .exe files as well.

Regards,
Dave

> 
> A+
> Dave

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Cottlehuber <da...@muse.net.nz>]

On 2 March 2012 19:21, Dave Fisher <da...@comcast.net> wrote:
> Hi,
>
> The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.
>
> Is this process going forward? If so, what would the PPMC / IPMC need to do?
>
> We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.
>
> Best Regards,
> Dave
>
> On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:

I'm also still interested - can we help out in any way?

A+
Dave

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

Hi,

The OpenOffice podling has a need to digitally sign AOO windows installers - .msi.

Is this process going forward? If so, what would the PPMC / IPMC need to do?

We would very likely use the dev, test, and release flavors. We already have developer builds and are now considering RC builds.

Best Regards,
Dave

On Jan 19, 2012, at 12:46 PM, Dave Cottlehuber wrote:

> On 19 January 2012 20:49, William A. Rowe Jr. <wr...@apache.org> wrote:
>> Taking a closer look at pg 3...
>> 
>> We will need to consider how this differs from our traditional
>> method of signing.  The flowchart is fairly clear.  It appears
>> that at any given time authorized users can upload an object
>> for signing, and obtain back either a dev, test or release signed
>> package.
>> 
>> The question is, for our purposes, will we simply jump straight
>> to the release signed package for voting?  Or do we want to take
>> advantage of that test flavor?
>> 
>> Perhaps we'll have to put it in motion, either as a beta experiment
>> or simply adopt it.  Because the ASF is very close to releasing
>> 
>> Any updates on the new .jar signing service features now that we
>> are in 2012?
> 
> I'm happy to try out the 2-phase process if there's a need for it in
> the ASF in general. For CouchDB purposes, it will be sufficient to
> sign directly - it will be a significant improvement over where we are
> today.
> 
> A+
> Dave

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Cottlehuber <da...@muse.net.nz>]

On 19 January 2012 20:49, William A. Rowe Jr. <wr...@apache.org> wrote:
> Taking a closer look at pg 3...
>
> We will need to consider how this differs from our traditional
> method of signing.  The flowchart is fairly clear.  It appears
> that at any given time authorized users can upload an object
> for signing, and obtain back either a dev, test or release signed
> package.
>
> The question is, for our purposes, will we simply jump straight
> to the release signed package for voting?  Or do we want to take
> advantage of that test flavor?
>
> Perhaps we'll have to put it in motion, either as a beta experiment
> or simply adopt it.  Because the ASF is very close to releasing
>
> Any updates on the new .jar signing service features now that we
> are in 2012?

I'm happy to try out the 2-phase process if there's a need for it in
the ASF in general. For CouchDB purposes, it will be sufficient to
sign directly - it will be a significant improvement over where we are
today.

A+
Dave

RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Richard Hall <Ri...@symantec.com>]

Hi -

We often allow multiple choices during the signing process.  Test signings are typically either issued off of a different Root (untrusted) or issued off the same Root with a small window of validity (such as 3 days).  Test signings do not usually require any testing (they are signed immediately), whereas Production signings *could* require testing which would need approval/rejection before the signing occurs.

The .jar signing service is committed in our next release and will be available on Feb. 13th.

I hope that helps.

Regards,

-Rich

-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@apache.org] 
Sent: Thursday, January 19, 2012 2:50 PM
To: infrastructure-dev@apache.org; Richard Hall; Dean Coclin; Sam Ruby
Subject: RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

Taking a closer look at pg 3...

We will need to consider how this differs from our traditional method of signing.  The flowchart is fairly clear.  It appears that at any given time authorized users can upload an object for signing, and obtain back either a dev, test or release signed package.

The question is, for our purposes, will we simply jump straight to the release signed package for voting?  Or do we want to take advantage of that test flavor?

Perhaps we'll have to put it in motion, either as a beta experiment or simply adopt it.  Because the ASF is very close to releasing

Any updates on the new .jar signing service features now that we are in 2012?