Re: Official code signing certificate

[Mark Thomas <ma...@apache.org>]

On 12/04/2013 16:52, William A. Rowe Jr. wrote:

> As Rob is fond of pointing out, there are literally hundreds of
> moving parts in their release (and similarly in the httpd release
> as well - each loadable module must be signed).  I've asked and
> been assured that the Symantec service would have a batch/group
> automation-friendly submission process that could make this
> relatively painless.

Bill,

I'd like to make some progress on this.

Given that we have gone around in circles a few times over excatly how
to handle code-signing I'd like to move forward with the Symantec
service and *if* we hit a snag then we can discuss alternative approaches.

I plan to use Tomcat as the first test case primarily since as I am a
Tomcat committer and part of the infra team using Tomcat means I have
the karma to fix stuff as issues arise.

Once we have this working for Tomcat's Windows installer, we can extend
this to other projects / artifact types (e.g. JARs).

In order to move this forward, who do I need to contact at Symantec to
set up whatever accounts etc are required.

Mark