You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by Om <bi...@gmail.com> on 2012/08/15 22:05:02 UTC
[MENTOR] How to handle Air app signing certificate
>
> I fixed all the issues identified by the RAT check except certificate.p12.
> That's a binary file and I don't think it can go in the source
> distribution.
>
> I'll leave that to Om and/or Erik to figure out.
>
>
It makes sense for any developer who wants to work on it to create their
own certificate. Flash Builder makes it very seamless.
But, what about official releases? We need to have and maintain one
certificate so that the app upgrades on client's machines go smoothly.
.p12 files can be created, modified etc. using a variety of tools like
Flash Builder, OpenSSL, etc. Can we make an exception for p12 files and
keep it in the source?
Thanks,
Om
Re: Release Managers and Multi-platform releases (was Re: [MENTOR]
How to handle Air app signing certificate)
Posted by Alex Harui <ah...@adobe.com>.
On 8/16/12 1:07 PM, "Carol Frampton" <cf...@adobe.com> wrote:
>>>
>> I understand the installer needs a Mac binary and a Win binary, but since
>> they are not official releases, I don't see why the release manager can't
>> ask someone else to build a package for them.
>
> I would think the release manager should not sign "the apache way" a
> binary or a binary distro with a binary in it that they didn't build.
> Everything on the distro site needs to be signed. I did not sign the
> asdoc package when we released and I was asked not too long ago, I think
> by someone from infra, to do that.
>
> Maybe the mentors know the real answer to this.
>
> Carol
>
I would think if someone supplies the other platform's binary in a secure
way it should be good enough, but we'll see what the mentors say.
--
Alex Harui
Flex SDK Team
Adobe Systems, Inc.
http://blogs.adobe.com/aharui
Re: Release Managers and Multi-platform releases (was Re: [MENTOR]
How to handle Air app signing certificate)
Posted by Carol Frampton <cf...@adobe.com>.
On 8/16/12 3 :32PM, "Alex Harui" <ah...@adobe.com> wrote:
>
>
>
>On 8/16/12 10:19 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>
>>
>>
>> On 8/16/12 12 :38PM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>>>
>>>
>>>
>>> On 8/16/12 6:11 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>>>
>>>
>>>>
>>>> This is not the topic of this thread but I think the release manager
>>>>has
>>>> to be able to produce both packages.
>>>>
>>>> Carol
>>>>
>>> Interesting issue. Theoretically we only release source so I don't see
>>>how
>>> you would need something platform specific. The binary convenience
>>> packages
>>> are not official so if you only have one computer, it should be "ok" to
>>> have
>>> someone supply the other platform's bin-kit.
>>
>> It matters for the installer since 99% of the people who want it are
>>after
>> the binaries and aren't interested in the building source (which now
>>will
>> include getting a certificate.p12 file).
>>
>> Carol
>>
>I understand the installer needs a Mac binary and a Win binary, but since
>they are not official releases, I don't see why the release manager can't
>ask someone else to build a package for them.
I would think the release manager should not sign "the apache way" a
binary or a binary distro with a binary in it that they didn't build.
Everything on the distro site needs to be signed. I did not sign the
asdoc package when we released and I was asked not too long ago, I think
by someone from infra, to do that.
Maybe the mentors know the real answer to this.
Carol
Re: Release Managers and Multi-platform releases (was Re: [MENTOR]
How to handle Air app signing certificate)
Posted by Alex Harui <ah...@adobe.com>.
On 8/16/12 10:19 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>
>
> On 8/16/12 12 :38PM, "Alex Harui" <ah...@adobe.com> wrote:
>
>>
>>
>>
>> On 8/16/12 6:11 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>>
>>
>>>
>>> This is not the topic of this thread but I think the release manager has
>>> to be able to produce both packages.
>>>
>>> Carol
>>>
>> Interesting issue. Theoretically we only release source so I don't see how
>> you would need something platform specific. The binary convenience
>> packages
>> are not official so if you only have one computer, it should be "ok" to
>> have
>> someone supply the other platform's bin-kit.
>
> It matters for the installer since 99% of the people who want it are after
> the binaries and aren't interested in the building source (which now will
> include getting a certificate.p12 file).
>
> Carol
>
I understand the installer needs a Mac binary and a Win binary, but since
they are not official releases, I don't see why the release manager can't
ask someone else to build a package for them.
--
Alex Harui
Flex SDK Team
Adobe Systems, Inc.
http://blogs.adobe.com/aharui
Re: Release Managers and Multi-platform releases (was Re: [MENTOR]
How to handle Air app signing certificate)
Posted by Carol Frampton <cf...@adobe.com>.
On 8/16/12 12 :38PM, "Alex Harui" <ah...@adobe.com> wrote:
>
>
>
>On 8/16/12 6:11 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>
>
>>
>> This is not the topic of this thread but I think the release manager has
>> to be able to produce both packages.
>>
>> Carol
>>
>Interesting issue. Theoretically we only release source so I don't see how
>you would need something platform specific. The binary convenience
>packages
>are not official so if you only have one computer, it should be "ok" to
>have
>someone supply the other platform's bin-kit.
It matters for the installer since 99% of the people who want it are after
the binaries and aren't interested in the building source (which now will
include getting a certificate.p12 file).
Carol
>
>--
>Alex Harui
>Flex SDK Team
>Adobe Systems, Inc.
>http://blogs.adobe.com/aharui
>
Release Managers and Multi-platform releases (was Re: [MENTOR] How
to handle Air app signing certificate)
Posted by Alex Harui <ah...@adobe.com>.
On 8/16/12 6:11 AM, "Carol Frampton" <cf...@adobe.com> wrote:
>
> This is not the topic of this thread but I think the release manager has
> to be able to produce both packages.
>
> Carol
>
Interesting issue. Theoretically we only release source so I don't see how
you would need something platform specific. The binary convenience packages
are not official so if you only have one computer, it should be "ok" to have
someone supply the other platform's bin-kit.
--
Alex Harui
Flex SDK Team
Adobe Systems, Inc.
http://blogs.adobe.com/aharui
Re: [MENTOR] How to handle Air app signing certificate
Posted by Carol Frampton <cf...@adobe.com>.
On 8/15/12 7 :30PM, "Om" <bi...@gmail.com> wrote:
>So how does this sound:
>
>
> - We don't keep the .p12 file in the repo.
> - We ask developers who want to work with the source code to generate a
> .p12 file (using FB or similar tools) for themselves
> - They should not check it in (add *.p12 to svn ignore?)
> - The release managers would create a .p12 certificate(and a pass code)
> as the official one. This will not be checked in.
> - A release build is created using the source code + .p12 + pass code
> combination.
> - Whoever is the current release manager gets the .p12 certificate +
> pass code from the previous release manager to make a release build.
> - It is up to the release mangers to keep the .p12 and pass code
> secure.
>
>Note: We may need two release managers for every release - one for
>windows
>and one for Mac since air apps for a platform need to built on the same
>platform.
This is not the topic of this thread but I think the release manager has
to be able to produce both packages.
Carol
Re: [MENTOR] How to handle Air app signing certificate
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Thu, Aug 16, 2012 at 2:43 AM, Clint Modien <cm...@gmail.com> wrote:
> ...strange that Apache doesn't have a code signing process in place already…
> seems like a pretty common requirement....
See http://www.apache.org/dev/release-signing for how releases are signed.
You're right that the ASF doesn't currently have a standard process
for digital certificates - the OpenOffice podling has been discussing
this recently, see http://s.apache.org/Hii - I haven't followed the
details.
-Bertrand
Re: [MENTOR] How to handle Air app signing certificate
Posted by Clint Modien <cm...@gmail.com>.
Sounds good… strange that Apache doesn't have a code signing process in place already… seems like a pretty common requirement.
On Aug 15, 2012, at 4:30 PM, Om wrote:
> So how does this sound:
>
>
> - We don't keep the .p12 file in the repo.
> - We ask developers who want to work with the source code to generate a
> .p12 file (using FB or similar tools) for themselves
> - They should not check it in (add *.p12 to svn ignore?)
> - The release managers would create a .p12 certificate(and a pass code)
> as the official one. This will not be checked in.
> - A release build is created using the source code + .p12 + pass code
> combination.
> - Whoever is the current release manager gets the .p12 certificate +
> pass code from the previous release manager to make a release build.
> - It is up to the release mangers to keep the .p12 and pass code
> secure.
>
> Note: We may need two release managers for every release - one for windows
> and one for Mac since air apps for a platform need to built on the same
> platform.
>
> P.S.: I have a thread going on in infra-dev to get an official Apache.org
> or Apache Flex AIR app signing certificate. You can follow it here: [1]
Re: [MENTOR] How to handle Air app signing certificate
Posted by Om <bi...@gmail.com>.
So how does this sound:
- We don't keep the .p12 file in the repo.
- We ask developers who want to work with the source code to generate a
.p12 file (using FB or similar tools) for themselves
- They should not check it in (add *.p12 to svn ignore?)
- The release managers would create a .p12 certificate(and a pass code)
as the official one. This will not be checked in.
- A release build is created using the source code + .p12 + pass code
combination.
- Whoever is the current release manager gets the .p12 certificate +
pass code from the previous release manager to make a release build.
- It is up to the release mangers to keep the .p12 and pass code
secure.
Note: We may need two release managers for every release - one for windows
and one for Mac since air apps for a platform need to built on the same
platform.
P.S.: I have a thread going on in infra-dev to get an official Apache.org
or Apache Flex AIR app signing certificate. You can follow it here: [1]
Thanks,
Om
[1] http://markmail.org/message/5te7ygbwzxulhpyj
On Wed, Aug 15, 2012 at 2:25 PM, Clint Modien <cm...@gmail.com> wrote:
> Anyone could sign code with the cert if they know/crack the password for
> the private key.
>
> I would keep all certs out of the repo in the interest of security and
> keep them in a safe place and only grant access to people who create
> distribution packages.
>
> If you're doing dev… you can generate your own cert.
>
> On Aug 15, 2012, at 1:05 PM, Om wrote:
>
> >>
> >> I fixed all the issues identified by the RAT check except
> certificate.p12.
> >> That's a binary file and I don't think it can go in the source
> >> distribution.
> >>
> >> I'll leave that to Om and/or Erik to figure out.
> >>
> >>
> > It makes sense for any developer who wants to work on it to create their
> > own certificate. Flash Builder makes it very seamless.
> >
> > But, what about official releases? We need to have and maintain one
> > certificate so that the app upgrades on client's machines go smoothly.
> >
> > .p12 files can be created, modified etc. using a variety of tools like
> > Flash Builder, OpenSSL, etc. Can we make an exception for p12 files and
> > keep it in the source?
> >
> > Thanks,
> > Om
>
>
Re: [MENTOR] How to handle Air app signing certificate
Posted by Clint Modien <cm...@gmail.com>.
Anyone could sign code with the cert if they know/crack the password for the private key.
I would keep all certs out of the repo in the interest of security and keep them in a safe place and only grant access to people who create distribution packages.
If you're doing dev… you can generate your own cert.
On Aug 15, 2012, at 1:05 PM, Om wrote:
>>
>> I fixed all the issues identified by the RAT check except certificate.p12.
>> That's a binary file and I don't think it can go in the source
>> distribution.
>>
>> I'll leave that to Om and/or Erik to figure out.
>>
>>
> It makes sense for any developer who wants to work on it to create their
> own certificate. Flash Builder makes it very seamless.
>
> But, what about official releases? We need to have and maintain one
> certificate so that the app upgrades on client's machines go smoothly.
>
> .p12 files can be created, modified etc. using a variety of tools like
> Flash Builder, OpenSSL, etc. Can we make an exception for p12 files and
> keep it in the source?
>
> Thanks,
> Om
Re: [MENTOR] How to handle Air app signing certificate
Posted by Dave Fisher <da...@comcast.net>.
On Aug 15, 2012, at 1:27 PM, Alex Harui wrote:
>
>
>
> On 8/15/12 1:14 PM, "Carol Frampton" <cf...@adobe.com> wrote:
>
>> I think the question to be asked is can we keep certificate.p12 in the
>> repository and not put it in the source distro?
>>
>> Carol
>>
> Isn't the P12 file made out to some individual like Om? If so, it should
> not be in the repo or distro and one of the steps to building is for the
> builder to get their own .p12 file.
Is there any reason for a user to need to examine these?
Otherwise these seem to be similar to the KEYS file. Perhaps the same treatment, or can the .p12 be extracted from the KEYS?
Regards,
Dave
>
> --
> Alex Harui
> Flex SDK Team
> Adobe Systems, Inc.
> http://blogs.adobe.com/aharui
>
Re: [MENTOR] How to handle Air app signing certificate
Posted by Clint Modien <cm...@gmail.com>.
An air app must be signed with the same cert or it won't install/update unless you change the app id.
On Aug 15, 2012, at 1:27 PM, Alex Harui wrote:
> Isn't the P12 file made out to some individual like Om? If so, it should
> not be in the repo or distro and one of the steps to building is for the
> builder to get their own .p12 file.
Re: [MENTOR] How to handle Air app signing certificate
Posted by Alex Harui <ah...@adobe.com>.
On 8/15/12 1:14 PM, "Carol Frampton" <cf...@adobe.com> wrote:
> I think the question to be asked is can we keep certificate.p12 in the
> repository and not put it in the source distro?
>
> Carol
>
Isn't the P12 file made out to some individual like Om? If so, it should
not be in the repo or distro and one of the steps to building is for the
builder to get their own .p12 file.
--
Alex Harui
Flex SDK Team
Adobe Systems, Inc.
http://blogs.adobe.com/aharui
Re: [MENTOR] How to handle Air app signing certificate
Posted by Carol Frampton <cf...@adobe.com>.
On 8/15/12 4 :05PM, "Om" <bi...@gmail.com> wrote:
>>
>> I fixed all the issues identified by the RAT check except
>>certificate.p12.
>> That's a binary file and I don't think it can go in the source
>> distribution.
>>
>> I'll leave that to Om and/or Erik to figure out.
>>
>>
>It makes sense for any developer who wants to work on it to create their
>own certificate. Flash Builder makes it very seamless.
>
>But, what about official releases? We need to have and maintain one
>certificate so that the app upgrades on client's machines go smoothly.
>
>.p12 files can be created, modified etc. using a variety of tools like
>Flash Builder, OpenSSL, etc. Can we make an exception for p12 files and
>keep it in the source?
I think the question to be asked is can we keep certificate.p12 in the
repository and not put it in the source distro?
Carol