Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

Richard, Dean, can you provide any insight? I just reviewed the infra-dev
list history... if I missed your earlier reply I apologize in advance.

Bill

On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> Q's for Dean inline;
> 
> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>
>> sorry for jumping in but I hope that a short question is allowed.
> 
> [Yes, that's why we launched the thread here for anyone interested in
> signing ASF binary objects.]
> 
>> I am currently investigating in a reliable code signing process for
>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>> and especially the upcoming Windows 8.
>>
>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>> build, package the files in an msi/setup etc., sign the final setup bits
>> and finally sign a downloadable self extracting exe.
>>
>> Because of the huge size and the many many files I believe that it makes
>> most sense to have a certificate on a dedicated build machine.
> 
> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> case for reasons already spelled out on the list.  As I was designing the
> svn <-> signing service, I was actually laying it out that I myself would
> never have access to that key myself.
> 
> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> the individual bits in that package, and refold it back into a .cab (and
> nested back into the .msi, which is then itself signed).  The same could
> be true for a Java .jar (.zip) binaries collection.
> 
> 
> Dean, a few additional questions for you from these thoughts;
> 
> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> sign multiple embedded bits?
> 
> Is the logic out there for 'batching' a bunch of files together?
> 
> In either case, will a single 'signing key' be used, or will each individual
> artifact be individually signed?
> 
> Can .msi or .jar packages themselves be signed through the service?
> 
> And finally, has anything changed in the past year about an organization having
> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> individual or department keys?  Last I understood, only a single org code
> signing cert would be made available.  We have approx 12 RM's at the ASF today
> would would like to begin signing packages, if one key/cert can be tied into one
> individual committer.  Or (in this case) can "O=Apache Open Office" be its own
> signing key?
> 
>> But anyway whatever process in the end is working and possible, I would
>> like to ask if it is possible to get some kind of test certificate to
>> improve our testing.
> 
> Or, perhaps test-integrate with the signing service, if it provides for batch
> submission?
> 
>> My self signed certificate created with makecert is 1024 bit only and I
>> have read that a code signing cert have to be at least 2024 bits. I
>> don't know if that makes a difference in the Windows 8 App Certification
>> Kit.
> 
> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for any
> reliable cryptography is 2048 bits today (measured as an RSA style key,
> obviously DSS/DH and ECC use different logic and different 'safe' key
> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
> but I won't be holding my breath on that one :)
> 
> Secondly, any pointers to local test signing certs for binaries and .msi
> packages on windows would be very helpful to me as well.
> 
>> I think AOO with currently >6million downloads (since May 8th) can be a
>> good promotion for Symantec when people notice where the certificate
>> comes from.
> 
> +1 :)
> 
> 
> 
> 
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Rob Weir <ro...@apache.org>]

On Thu, Aug 16, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:
>
>> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>>> Maybe infra-structure can give me feedback what doesn't work with these
>>> proposals. And as typical at Apache if you have concerns (-1) come up
>>> with another proposal that fulfill better the needs of infra-structure
>>
>> Infra do have veto power over PMCs with respect to solutions that
>> involve obtaining and maintaining any sort of central secret (e.g.,
>> certificate private key).
>>
>> Now, would you quit citing policies of this org to people who had been
>> Members thereof before you heard of it?
>
> One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.
>

I like the direction this is headed.  One consideration is whether
every build is signed or whether this is done only on request.  If
done on request we need to determine how a request is made.  The more
complicated case is with security-fix related releases where there
would a need to keep the existence and timing of that release private
until the last possible opportunity.

-Rob


> Perhaps that would meet Infrastructure's approval?
>
> So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.
>
> Regards,
> Dave
>
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:

> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>> Maybe infra-structure can give me feedback what doesn't work with these
>> proposals. And as typical at Apache if you have concerns (-1) come up
>> with another proposal that fulfill better the needs of infra-structure
> 
> Infra do have veto power over PMCs with respect to solutions that
> involve obtaining and maintaining any sort of central secret (e.g.,
> certificate private key).
> 
> Now, would you quit citing policies of this org to people who had been
> Members thereof before you heard of it?

One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.

Perhaps that would meet Infrastructure's approval?

So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.

Regards,
Dave

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Daniel Shahaf <d....@daniel.shahaf.name>]

Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
> Maybe infra-structure can give me feedback what doesn't work with these
> proposals. And as typical at Apache if you have concerns (-1) come up
> with another proposal that fulfill better the needs of infra-structure

Infra do have veto power over PMCs with respect to solutions that
involve obtaining and maintaining any sort of central secret (e.g.,
certificate private key).

Now, would you quit citing policies of this org to people who had been
Members thereof before you heard of it?

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Bertrand Delacretaz <bd...@apache.org>]

Hi Rob,

On Wed, Aug 29, 2012 at 7:27 PM, Rob Weir <ro...@apache.org> wrote:
> ...In any case, the root page is "immutable" for me.  Can someone with
> sufficient rights create the new page?...

I have created http://wiki.apache.org/general/ASFCodeSigning and made
some suggestions in there as to how to go forward.

-Bertrand

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Rob Weir <ro...@apache.org>]

On Fri, Aug 17, 2012 at 12:29 PM, Tony Stevenson <pc...@apache.org> wrote:
>
> On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:
>
>> wiki.a.o/general/FooSSLPageHere or some such would be fine with me.
>

As a top-level page?  Or would we prefer to structure it as an
infra-dev root page and a code signing page linked from there?

In any case, the root page is "immutable" for me.  Can someone with
sufficient rights create the new page?

-Rob

> Actually the more I think about it, the better this seems.  Once all the proposals are ready for review please ping us and we can take it on, then.  That would be infinitely easier that collating all the emails on the topic.
>
>
>
> Tony
>
> ---------------------------------------
> Tony Stevenson
>
> tony@pc-tony.com // pctony@apache.org
> tony@caret.cam.ac.uk
>
> http://blog.pc-tony.com
>
> GPG - 1024D/51047D66
> --------------------------------------
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:

> wiki.a.o/general/FooSSLPageHere or some such would be fine with me. 

Actually the more I think about it, the better this seems.  Once all the proposals are ready for review please ping us and we can take it on, then.  That would be infinitely easier that collating all the emails on the topic.  



Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <to...@pc-tony.com>]

On 17 Aug 2012, at 12:35, Bertrand Delacretaz <bd...@apache.org> wrote:

> On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
> <wr...@rowe-clan.net> wrote:
>> ...If this proposal is also added to a Wiki, I think it will become less confusing
>> for folks to follow....
> 
> Big +1, considering that it's a somewhat disjoint group of people who
> are interested in this, I would suggest that representatives of the
> projects that need this work together on a wiki page that defines
> their *requirements* (without talking about tools at first, if
> possible, or at least clearly separate the core requirements from
> tools suggestions) so that infra and others can look at that and
> attack the problem at its core.
> 

wiki.a.o/general/FooSSLPageHere or some such would be fine with me. 
 

> I assume it's fine to use this list to coordinate this requirements work.
> 
> -Bertrand


Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Bertrand Delacretaz <bd...@apache.org>]

On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> ...If this proposal is also added to a Wiki, I think it will become less confusing
> for folks to follow....

Big +1, considering that it's a somewhat disjoint group of people who
are interested in this, I would suggest that representatives of the
projects that need this work together on a wiki page that defines
their *requirements* (without talking about tools at first, if
possible, or at least clearly separate the core requirements from
tools suggestions) so that infra and others can look at that and
attack the problem at its core.

I assume it's fine to use this list to coordinate this requirements work.

-Bertrand

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/16/2012 1:25 PM, Om wrote:
> On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:
> 
>> Tony,
>>
>> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
>> proposal: [1]
>> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
>> original proposal so that it works for Apache Flex as well: [2]
>>
>> Can you please take a look at let me know if this works and what else
>> needs to be answered?
>>
>> Thanks,
>> Om
>>
>> [1] http://markmail.org/message/2xx5ia72b6xestur
>> [2] http://markmail.org/message/chupjp5tsuosiu23
>>
>>
> Before this gets buried, I want to highlight the current proposals on the
> table and ask for feedback.  If we get feedback, we will be able to move
> forward.

If this proposal is also added to a Wiki, I think it will become less confusing
for folks to follow.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:

> Tony,
>
> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
> proposal: [1]
> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
> original proposal so that it works for Apache Flex as well: [2]
>
> Can you please take a look at let me know if this works and what else
> needs to be answered?
>
> Thanks,
> Om
>
> [1] http://markmail.org/message/2xx5ia72b6xestur
> [2] http://markmail.org/message/chupjp5tsuosiu23
>
>
Before this gets buried, I want to highlight the current proposals on the
table and ask for feedback.  If we get feedback, we will be able to move
forward.

Thanks,
Om

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

Tony,

On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
proposal: [1]
On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
original proposal so that it works for Apache Flex as well: [2]

Can you please take a look at let me know if this works and what else needs
to be answered?

Thanks,
Om

[1] http://markmail.org/message/2xx5ia72b6xestur
[2] http://markmail.org/message/chupjp5tsuosiu23

On Wed, Aug 15, 2012 at 3:20 PM, Tony Stevenson <pc...@apache.org> wrote:

>
>
> Sent from my iPad
>
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>
> > On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >
> >>
> >> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>
> >> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>
> >>> Hi Dave,
> >>>
> >>> Our hosted signing service does not currently provide the ability to
> sign
> >>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>> website:
> >>>
> >>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>
> >>> Would this work for you?  Please let us know if you have any questions.
> >>>
> >>> Thanks,
> >>>
> >>> Rich
> >>>
> >>>
> >> Rich,
> >>
> >> This would work perfectly fine for us.
> >>
> >>
> >> Om,
> >>
> >> And now the question is for the Apache Infrastructure team. Assuming
> that
> >> an apache.org certificate for signing AIr applications is purchased The
> >> ASF how will it be handled? And that is the other thread.
> >>
> >> Thanks,
> >> Dave
> >>
> >>
> > Do we know if there has been any work/discussion on this?  We are
> preparing
> > our installer app for release and valid certificate would be very good to
> > have.
> >
> > What should I (or infra) do to get this certificate approved and
> purchased
> > for us by us?  How can I help speed up this process?
> >
> > Thanks,
> > Om
>
>
> Om,
>
> We, infra, are still waiting for someone to come to us with a proposal on
> how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
>
> Unto, we are receipt of such, and we have had a chance to review the same
> we won't be purchasing any such certificate, and no project should be going
> direct to any supplier to do the same. There are very real concerns we have
> and we want to see them fully addressed before proceeding.
>
> To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Aug 16, 2012, at 12:08 AM, Jürgen Schmidt wrote:

> On 8/16/12 1:38 AM, Dave Fisher wrote:
>> Hi Tony,
>> 
>> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
>> 
>> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
>> 
> it can be a duplicate image of the Windows build bot where the
> certificate is installed. The builds have to be triggered by someone who
> have access to this machine. But we can of course automate it probably
> to simply start a script and give a revision as input

Exactly.

> 
> 
>> I think that Flex will want both Windows and Mac buildbots as well.
> 
> AOO in the future as well

Andrew is waiting for the Mac buildbot - here is the buildbot master JIRA for AOO - INFRA-4197 More Buildbots for Apache OpenOffice

> 
>> 
>> INFRA-4902 Create Mac buildbot
>> 
>> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
> 
> What exactly are your problems, which system do you use, Mountian Lion?
> Until today I am note aware that anybody has built AOO on Mountain Lion
> and even on Lion it requires some work. Apple/MacOS is not really
> developer friendly if you don't walk inside the "closed" Apple world ;-)

I've got past this issue. cpan had its permissions changed removing the a+x.

I had to upgrade LWP::UserAgent in cpan. cpan install only saw I had LWP::UserAgent and this was missing the show_progress method.

I'm on MacOSX 10.6.8

> 
>> 
>> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)
> 
> that's true, signing from Apple or from a developer with a official and
> register Apple developer ID. I haven't analyzed the signing process on
> Mountain Lion in detail so far but that is on the list.

My newer Mac is on Lion w/a free Mountain Lion upgrade, but I haven't had the free time to move everything around as I need more backup disk space first.

And yes this is a detail.

> 
> Juergen
> 
>> 
>> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
>> 
>> Regards,
>> Dave 
>> 
>> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>> 
>>> 
>>> 
>>> Sent from my iPad
>>> 
>>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>> 
>>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>> 
>>>>> 
>>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>> 
>>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>> 
>>>>>> Hi Dave,
>>>>>> 
>>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>>> website:
>>>>>> 
>>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>> 
>>>>>> Would this work for you?  Please let us know if you have any questions.
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Rich
>>>>>> 
>>>>>> 
>>>>> Rich,
>>>>> 
>>>>> This would work perfectly fine for us.
>>>>> 
>>>>> 
>>>>> Om,
>>>>> 
>>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>>> an apache.org certificate for signing AIr applications is purchased The
>>>>> ASF how will it be handled? And that is the other thread.
>>>>> 
>>>>> Thanks,
>>>>> Dave
>>>>> 
>>>>> 
>>>> Do we know if there has been any work/discussion on this?  We are preparing
>>>> our installer app for release and valid certificate would be very good to
>>>> have.
>>>> 
>>>> What should I (or infra) do to get this certificate approved and purchased
>>>> for us by us?  How can I help speed up this process?
>>>> 
>>>> Thanks,
>>>> Om
>>> 
>>> 
>>> Om, 
>>> 
>>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
>>> 
>>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
>>> 
>>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
>> 
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Jürgen Schmidt <jo...@gmail.com>]

On 8/16/12 1:38 AM, Dave Fisher wrote:
> Hi Tony,
> 
> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
> 
> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
> 
it can be a duplicate image of the Windows build bot where the
certificate is installed. The builds have to be triggered by someone who
have access to this machine. But we can of course automate it probably
to simply start a script and give a revision as input


> I think that Flex will want both Windows and Mac buildbots as well.

AOO in the future as well

> 
> INFRA-4902 Create Mac buildbot
> 
> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)

What exactly are your problems, which system do you use, Mountian Lion?
Until today I am note aware that anybody has built AOO on Mountain Lion
and even on Lion it requires some work. Apple/MacOS is not really
developer friendly if you don't walk inside the "closed" Apple world ;-)

> 
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)

that's true, signing from Apple or from a developer with a official and
register Apple developer ID. I haven't analyzed the signing process on
Mountain Lion in detail so far but that is on the list.

Juergen

> 
> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
> 
> Regards,
> Dave 
> 
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
> 
>>
>>
>> Sent from my iPad
>>
>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>
>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>
>>>>
>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>
>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>
>>>>> Hi Dave,
>>>>>
>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>> website:
>>>>>
>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>
>>>>> Would this work for you?  Please let us know if you have any questions.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Rich
>>>>>
>>>>>
>>>> Rich,
>>>>
>>>> This would work perfectly fine for us.
>>>>
>>>>
>>>> Om,
>>>>
>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>> an apache.org certificate for signing AIr applications is purchased The
>>>> ASF how will it be handled? And that is the other thread.
>>>>
>>>> Thanks,
>>>> Dave
>>>>
>>>>
>>> Do we know if there has been any work/discussion on this?  We are preparing
>>> our installer app for release and valid certificate would be very good to
>>> have.
>>>
>>> What should I (or infra) do to get this certificate approved and purchased
>>> for us by us?  How can I help speed up this process?
>>>
>>> Thanks,
>>> Om
>>
>>
>> Om, 
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
>>
>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
>>
>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Scott Deboy <sc...@gmail.com>]

Chainsaw also has a need to deliver a Mac image (DMG) as well as signed
jars for web start deployment.  I assume the DMG would need the same
support mentioned for Mountain Lion.

Scott

On Wed, Aug 15, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:

> Hi Tony,
>
> The bounds are very tight. I thought that Jürgen was pretty clear about
> how the reality of the current build makes it difficult to create a bot to
> do this. His proposal is essentially special buildbots under infra's
> control.
>
> Perhaps if AOO had all the various requested buildbots we might figure out
> how to make the proposed special buildbot that only infra can control
> because it has these special certificates.
>
> I think that Flex will want both Windows and Mac buildbots as well.
>
> INFRA-4902 Create Mac buildbot
>
> (I just entered perl / cpan hell and going into time machine due to a
> missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working
> buildbot would have caught this issue.)
>
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others.
> (It's what I hear on the street, am I wrong Dean and Richard?)
>
> Does it make sense to proceed with platforms that are needed for CI and
> where the signing solution would possibly "live."
>
> Regards,
> Dave
>
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>
> >
> >
> > Sent from my iPad
> >
> > On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> >
> >> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >>
> >>>
> >>> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>>
> >>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>>
> >>>> Hi Dave,
> >>>>
> >>>> Our hosted signing service does not currently provide the ability to
> sign
> >>>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>>> website:
> >>>>
> >>>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>>
> >>>> Would this work for you?  Please let us know if you have any
> questions.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Rich
> >>>>
> >>>>
> >>> Rich,
> >>>
> >>> This would work perfectly fine for us.
> >>>
> >>>
> >>> Om,
> >>>
> >>> And now the question is for the Apache Infrastructure team. Assuming
> that
> >>> an apache.org certificate for signing AIr applications is purchased
> The
> >>> ASF how will it be handled? And that is the other thread.
> >>>
> >>> Thanks,
> >>> Dave
> >>>
> >>>
> >> Do we know if there has been any work/discussion on this?  We are
> preparing
> >> our installer app for release and valid certificate would be very good
> to
> >> have.
> >>
> >> What should I (or infra) do to get this certificate approved and
> purchased
> >> for us by us?  How can I help speed up this process?
> >>
> >> Thanks,
> >> Om
> >
> >
> > Om,
> >
> > We, infra, are still waiting for someone to come to us with a proposal
> on how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
> >
> > Unto, we are receipt of such, and we have had a chance to review the
> same we won't be purchasing any such certificate, and no project should be
> going direct to any supplier to do the same. There are very real concerns
> we have and we want to see them fully addressed before proceeding.
> >
> > To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.
>
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

Hi Tony,

The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.

Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.

I think that Flex will want both Windows and Mac buildbots as well.

INFRA-4902 Create Mac buildbot

(I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)

BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)

Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."

Regards,
Dave 

On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:

> 
> 
> Sent from my iPad
> 
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> 
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>> 
>>> 
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>> 
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>> 
>>>> Hi Dave,
>>>> 
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>> 
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>> 
>>>> Would this work for you?  Please let us know if you have any questions.
>>>> 
>>>> Thanks,
>>>> 
>>>> Rich
>>>> 
>>>> 
>>> Rich,
>>> 
>>> This would work perfectly fine for us.
>>> 
>>> 
>>> Om,
>>> 
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>> 
>>> Thanks,
>>> Dave
>>> 
>>> 
>> Do we know if there has been any work/discussion on this?  We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>> 
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us?  How can I help speed up this process?
>> 
>> Thanks,
>> Om
> 
> 
> Om, 
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
> 
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Jürgen Schmidt <jo...@gmail.com>]

On 8/16/12 12:20 AM, Tony Stevenson wrote:
> 
> 
> Sent from my iPad
> 
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> 
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>>>
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>>
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>
>>>> Would this work for you?  Please let us know if you have any questions.
>>>>
>>>> Thanks,
>>>>
>>>> Rich
>>>>
>>>>
>>> Rich,
>>>
>>> This would work perfectly fine for us.
>>>
>>>
>>> Om,
>>>
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>> Do we know if there has been any work/discussion on this?  We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>>
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us?  How can I help speed up this process?
>>
>> Thanks,
>> Om
> 
> 
> Om, 
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
> 
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for. 
> 

It's possible that I completely misunderstand you but I think that I
have provided 2 proposals how such a process can be handled by the
example of AOO. And I offered my help to setup for example a special
build machine (1 of my proposals).

I have also explained in detail how complex it is in case of AOO and
that it is a 2 step process.

Maybe infra-structure can give me feedback what doesn't work with these
proposals. And as typical at Apache if you have concerns (-1) come up
with another proposal that fulfill better the needs of infra-structure
and of course the projects who need the signing process. I have thought
about it and discussed it with some colleagues and we have no better
proposal so far.

But we should really drive this forward. If it comes out that it is not
possible at all, we should figure out if it is possible to find an
external sponsor for a certificate that we can use to sign the binaries.

Regards
Juergen

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/16/2012 7:52 AM, Mark Thomas wrote:
> 
> I suggest you read the entire thread and then consider offering the
> Infra team generally and Tony specifically an apology.

I have, there is a pdf whitepaper in the archives that Tony can refer
back to, if he were interested.  We have iterated the logic on any
number of occassions in the past year, and I spelled out exactly my
logic on dropping an offer of building an incomplete code signing
service on ASF hardware.  We simply cannot provide the same detail
and control that the Symantec plan offers.

There are two further interactions with Symantec on this subject, one
is for Sam in a position of authority or another to approach Symantec
for the precise details of their offer.  The other is to gather the
implementation details and I suspect that beta access to this service
is going to be required to determine how all the bits can be married
together across various build systems, including Maven.

I'm going to attribute his claim that nobody has provided any detailed
proposal to email overload and a request for collecting that data on
some wiki.

Sorry Tony.  Please point me to the wiki you wish me to use to gather
the relevant email-archived details?

> Om & Dave Fisher asked about siging Adobe Air applications
> 
> Richard Hall stated that the Symantec signing service *does not* support
> Adobe Air but that a code signing cert could be made available.
> 
> Om asked if there has been any progress.
> 
> Tony replied (again) that a concrete proposal needs to be made for an
> ASF hosted signing service for infrastructure to consider. Some ideas
> have been floated but there has not yet been a proposal in sufficient
> level of detail for infrastructure to evaluate.
> 
> The Symantec service may solve some problems but it is not a panacea.

Agreed in part (Apple being a huge enigma).  But if Apple certs are per
Apple ADC developer, we have far fewer issues that dealing with org sigs.
This becomes the equivalent of GPG keys.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Mark Thomas <ma...@apache.org>]

On 16/08/2012 06:38, William A. Rowe Jr. wrote:
> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.
> 
> In the Symantec proposal, each artifact is individually audited and
> revocable.  Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this).  Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.
> 
> The most sensical proposal is in front of your face, so your statement
> is completely crap.

Bill,

I suggest you read the entire thread and then consider offering the
Infra team generally and Tony specifically an apology.

Om & Dave Fisher asked about siging Adobe Air applications

Richard Hall stated that the Symantec signing service *does not* support
Adobe Air but that a code signing cert could be made available.

Om asked if there has been any progress.

Tony replied (again) that a concrete proposal needs to be made for an
ASF hosted signing service for infrastructure to consider. Some ideas
have been floated but there has not yet been a proposal in sufficient
level of detail for infrastructure to evaluate.

The Symantec service may solve some problems but it is not a panacea.

Mark

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

On 16 Aug 2012, at 06:38, "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:

> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>> 
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.

What offers?  Use Symantec?  Thats hardly a detailed proposal as we have stated we want.  

> In the Symantec proposal, each artifact is individually audited and
> revocable.  Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this).  Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.

Interesting, why has no one mentioned this level of detail before?  Where is the detailed proposal around this offering?  We are not just going to allow projects to say 'lets use Symantec (as good, or as poor as their offering may be) - we'll figure out the details later'. We have been very clear about this from day one. 

All we have asked for is a detailed proposal (which I don't take your email to be as such). That we will review and decide on thereafter.  

> The most sensical proposal is in front of your face, so your statement
> is completely crap.

Take your acrimonious pain in the ass attitude and use it somewhere more sensible please Bill. 



Cheers,
Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------


Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/15/2012 5:20 PM, Tony Stevenson wrote:
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 

I don't know how it's possible for infra to remain so deaf and ignorant
to the offers on the table.

In the Symantec proposal, each artifact is individually audited and
revocable.  Admin rights remain entirely in infra root's hands (given
some basic trust to the agency which issues most every code signing
certificate, every trust model has some issues like this).  Committers
continue to generate artifacts as they always have and are accountable
for the bits they sign with ASF credentials, without ever possessing
the keys to sign arbitrary objects outside of the auditable schema.

The most sensical proposal is in front of your face, so your statement
is completely crap.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

Sent from my iPad

On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:

> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
> 
>> 
>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>> 
>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>> 
>>> Hi Dave,
>>> 
>>> Our hosted signing service does not currently provide the ability to sign
>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>> website:
>>> 
>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>> 
>>> Would this work for you?  Please let us know if you have any questions.
>>> 
>>> Thanks,
>>> 
>>> Rich
>>> 
>>> 
>> Rich,
>> 
>> This would work perfectly fine for us.
>> 
>> 
>> Om,
>> 
>> And now the question is for the Apache Infrastructure team. Assuming that
>> an apache.org certificate for signing AIr applications is purchased The
>> ASF how will it be handled? And that is the other thread.
>> 
>> Thanks,
>> Dave
>> 
>> 
> Do we know if there has been any work/discussion on this?  We are preparing
> our installer app for release and valid certificate would be very good to
> have.
> 
> What should I (or infra) do to get this certificate approved and purchased
> for us by us?  How can I help speed up this process?
> 
> Thanks,
> Om


Om, 

We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 

Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 

To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for. 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:

>
> On Jul 19, 2012, at 11:16 AM, Om wrote:
>
> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>
>> Hi Dave,
>>
>> Our hosted signing service does not currently provide the ability to sign
>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>> website:
>>
>> http://www.symantec.com/verisign/code-signing/adobe-air
>>
>> Would this work for you?  Please let us know if you have any questions.
>>
>> Thanks,
>>
>> Rich
>>
>>
> Rich,
>
> This would work perfectly fine for us.
>
>
> Om,
>
> And now the question is for the Apache Infrastructure team. Assuming that
> an apache.org certificate for signing AIr applications is purchased The
> ASF how will it be handled? And that is the other thread.
>
> Thanks,
> Dave
>
>
Do we know if there has been any work/discussion on this?  We are preparing
our installer app for release and valid certificate would be very good to
have.

What should I (or infra) do to get this certificate approved and purchased
for us by us?  How can I help speed up this process?

Thanks,
Om

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Jul 19, 2012, at 11:16 AM, Om wrote:

> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com> wrote:
> Hi Dave,
> 
> Our hosted signing service does not currently provide the ability to sign Air applications, but we do offer Code Signing certs for Adobe Air from our website:
> 
> http://www.symantec.com/verisign/code-signing/adobe-air
> 
> Would this work for you?  Please let us know if you have any questions.
> 
> Thanks,
> 
> Rich
> 
> 
> Rich,
> 
> This would work perfectly fine for us.  

Om,

And now the question is for the Apache Infrastructure team. Assuming that an apache.org certificate for signing AIr applications is purchased The ASF how will it be handled? And that is the other thread.

Thanks,
Dave

> 
> Thanks,
> Om
> Apache Flex PPMC Member
>  
> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
> 
> 
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
> 
> > Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> > list history... if I missed your earlier reply I apologize in advance.
> 
> Gentlemen,
> 
> The Apache Flex podling would like to sign AIR applications as well:
> 
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> 
> Thanks for your consideration,
> Dave
> 
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> >> case for reasons already spelled out on the list.  As I was designing the
> >> svn <-> signing service, I was actually laying it out that I myself would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> >> the individual bits in that package, and refold it back into a .cab (and
> >> nested back into the .msi, which is then itself signed).  The same could
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an organization having
> >> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> >> individual or department keys?  Last I understood, only a single org code
> >> signing cert would be made available.  We have approx 12 RM's at the ASF today
> >> would would like to begin signing packages, if one key/cert can be tied into one
> >> individual committer.  Or (in this case) can "O=Apache Open Office" be its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I would
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides for batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .msi
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
> 
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:

> Hi Dave,
>
> Our hosted signing service does not currently provide the ability to sign
> Air applications, but we do offer Code Signing certs for Adobe Air from our
> website:
>
> http://www.symantec.com/verisign/code-signing/adobe-air
>
> Would this work for you?  Please let us know if you have any questions.
>
> Thanks,
>
> Rich
>
>
Rich,

This would work perfectly fine for us.

Thanks,
Om
Apache Flex PPMC Member


> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
>
>
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
>
> > Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> > list history... if I missed your earlier reply I apologize in advance.
>
> Gentlemen,
>
> The Apache Flex podling would like to sign AIR applications as well:
>
>
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>
> Thanks for your consideration,
> Dave
>
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup
> bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it
> makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in
> any
> >> case for reasons already spelled out on the list.  As I was designing
> the
> >> svn <-> signing service, I was actually laying it out that I myself
> would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign
> all
> >> the individual bits in that package, and refold it back into a .cab (and
> >> nested back into the .msi, which is then itself signed).  The same could
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each
> individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an
> organization having
> >> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open
> Office"
> >> individual or department keys?  Last I understood, only a single org
> code
> >> signing cert would be made available.  We have approx 12 RM's at the
> ASF today
> >> would would like to begin signing packages, if one key/cert can be tied
> into one
> >> individual committer.  Or (in this case) can "O=Apache Open Office" be
> its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I would
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides for
> batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App
> Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for
> any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .msi
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>

RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Richard Hall <Ri...@symantec.com>]

Hi Dave,

Our hosted signing service does not currently provide the ability to sign Air applications, but we do offer Code Signing certs for Adobe Air from our website:

http://www.symantec.com/verisign/code-signing/adobe-air

Would this work for you?  Please let us know if you have any questions.

Thanks,

Rich

-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net] 
Sent: Wednesday, July 18, 2012 7:12 PM
To: infrastructure-dev@apache.org
Cc: Dean Coclin; Richard Hall
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer


On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:

> Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> list history... if I missed your earlier reply I apologize in advance.

Gentlemen,

The Apache Flex podling would like to sign AIR applications as well:

http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html

Thanks for your consideration,
Dave

> 
> Bill
> 
> On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
>> Q's for Dean inline;
>> 
>> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>> 
>>> sorry for jumping in but I hope that a short question is allowed.
>> 
>> [Yes, that's why we launched the thread here for anyone interested in
>> signing ASF binary objects.]
>> 
>>> I am currently investigating in a reliable code signing process for
>>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>>> and especially the upcoming Windows 8.
>>> 
>>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>>> build, package the files in an msi/setup etc., sign the final setup bits
>>> and finally sign a downloadable self extracting exe.
>>> 
>>> Because of the huge size and the many many files I believe that it makes
>>> most sense to have a certificate on a dedicated build machine.
>> 
>> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
>> case for reasons already spelled out on the list.  As I was designing the
>> svn <-> signing service, I was actually laying it out that I myself would
>> never have access to that key myself.
>> 
>> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
>> the individual bits in that package, and refold it back into a .cab (and
>> nested back into the .msi, which is then itself signed).  The same could
>> be true for a Java .jar (.zip) binaries collection.
>> 
>> 
>> Dean, a few additional questions for you from these thoughts;
>> 
>> Can the code signing service accept a rolled up .msi or .jar (.zip) and
>> sign multiple embedded bits?
>> 
>> Is the logic out there for 'batching' a bunch of files together?
>> 
>> In either case, will a single 'signing key' be used, or will each individual
>> artifact be individually signed?
>> 
>> Can .msi or .jar packages themselves be signed through the service?
>> 
>> And finally, has anything changed in the past year about an organization having
>> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open Office"
>> individual or department keys?  Last I understood, only a single org code
>> signing cert would be made available.  We have approx 12 RM's at the ASF today
>> would would like to begin signing packages, if one key/cert can be tied into one
>> individual committer.  Or (in this case) can "O=Apache Open Office" be its own
>> signing key?
>> 
>>> But anyway whatever process in the end is working and possible, I would
>>> like to ask if it is possible to get some kind of test certificate to
>>> improve our testing.
>> 
>> Or, perhaps test-integrate with the signing service, if it provides for batch
>> submission?
>> 
>>> My self signed certificate created with makecert is 1024 bit only and I
>>> have read that a code signing cert have to be at least 2024 bits. I
>>> don't know if that makes a difference in the Windows 8 App Certification
>>> Kit.
>> 
>> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for any
>> reliable cryptography is 2048 bits today (measured as an RSA style key,
>> obviously DSS/DH and ECC use different logic and different 'safe' key
>> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
>> but I won't be holding my breath on that one :)
>> 
>> Secondly, any pointers to local test signing certs for binaries and .msi
>> packages on windows would be very helpful to me as well.
>> 
>>> I think AOO with currently >6million downloads (since May 8th) can be a
>>> good promotion for Symantec when people notice where the certificate
>>> comes from.
>> 
>> +1 :)
>> 
>> 
>> 
>> 
>> 
> 
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:

> Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> list history... if I missed your earlier reply I apologize in advance.

Gentlemen,

The Apache Flex podling would like to sign AIR applications as well:

http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html

Thanks for your consideration,
Dave

> 
> Bill
> 
> On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
>> Q's for Dean inline;
>> 
>> On 6/27/2012 11:11 AM, Jürgen Schmidt wrote:
>>> 
>>> sorry for jumping in but I hope that a short question is allowed.
>> 
>> [Yes, that's why we launched the thread here for anyone interested in
>> signing ASF binary objects.]
>> 
>>> I am currently investigating in a reliable code signing process for
>>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
>>> and especially the upcoming Windows 8.
>>> 
>>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
>>> build, package the files in an msi/setup etc., sign the final setup bits
>>> and finally sign a downloadable self extracting exe.
>>> 
>>> Because of the huge size and the many many files I believe that it makes
>>> most sense to have a certificate on a dedicated build machine.
>> 
>> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
>> case for reasons already spelled out on the list.  As I was designing the
>> svn <-> signing service, I was actually laying it out that I myself would
>> never have access to that key myself.
>> 
>> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
>> the individual bits in that package, and refold it back into a .cab (and
>> nested back into the .msi, which is then itself signed).  The same could
>> be true for a Java .jar (.zip) binaries collection.
>> 
>> 
>> Dean, a few additional questions for you from these thoughts;
>> 
>> Can the code signing service accept a rolled up .msi or .jar (.zip) and
>> sign multiple embedded bits?
>> 
>> Is the logic out there for 'batching' a bunch of files together?
>> 
>> In either case, will a single 'signing key' be used, or will each individual
>> artifact be individually signed?
>> 
>> Can .msi or .jar packages themselves be signed through the service?
>> 
>> And finally, has anything changed in the past year about an organization having
>> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open Office"
>> individual or department keys?  Last I understood, only a single org code
>> signing cert would be made available.  We have approx 12 RM's at the ASF today
>> would would like to begin signing packages, if one key/cert can be tied into one
>> individual committer.  Or (in this case) can "O=Apache Open Office" be its own
>> signing key?
>> 
>>> But anyway whatever process in the end is working and possible, I would
>>> like to ask if it is possible to get some kind of test certificate to
>>> improve our testing.
>> 
>> Or, perhaps test-integrate with the signing service, if it provides for batch
>> submission?
>> 
>>> My self signed certificate created with makecert is 1024 bit only and I
>>> have read that a code signing cert have to be at least 2024 bits. I
>>> don't know if that makes a difference in the Windows 8 App Certification
>>> Kit.
>> 
>> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for any
>> reliable cryptography is 2048 bits today (measured as an RSA style key,
>> obviously DSS/DH and ECC use different logic and different 'safe' key
>> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
>> but I won't be holding my breath on that one :)
>> 
>> Secondly, any pointers to local test signing certs for binaries and .msi
>> packages on windows would be very helpful to me as well.
>> 
>>> I think AOO with currently >6million downloads (since May 8th) can be a
>>> good promotion for Symantec when people notice where the certificate
>>> comes from.
>> 
>> +1 :)
>> 
>> 
>> 
>> 
>> 
> 
>