You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/12/14 23:31:35 UTC
[Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> On the subject of signing jars, Windows binaries and .msi installer
> packages, it seems that infra-dev is partial to the ability to revoke
> package signatures if an artifact is not released or is found to have
> been corrupted, and that the code signing service from Symantec /
> VeriSign / Thawte is the way to go here.
>
> I spoke with Richard and Dean who confirmed that this service would
> be offered at no cost to the ASF. User accounts would be as one of two
> roles, an administrator (root-ish) level and a publisher (committer)
> who needs to sign packages. There is no integration at present for
> PAM style authentication into our ldap, or SSO solution in this
> specific service so we would have to create accounts for each committer
> who is doing signed binary releases.
>
> It is batch-able and can be automated. Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository. Here's a background paper
> on the code signing portal itself;
>
> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>
> It is due a major revision entering(or already in?) beta. That version
> introduces support for .jar signing in addition to Win binary/msi signing.
> I asked and they are researching whether Apache could be invited to
> participate in the beta, since we would only just be getting up to speed
> by the time that portal version launches.
>
> One major step would be for Sam, who is both our Legal VP and Infra VP,
> to review the actual agreement/paperwork in detail and determine that
> it would be something we are able to sign. Dean, could you forward that
> to Sam, even as we all learn more about the service and come to a decision
> of whether we should adopt it or not?
What say we?
Has everyone interested had an opportunity to raise any questions already?
I'm +1 here, this seems like the straightest line, and I would love to start
investigating how to automate using their API. I'd like to see if we can't
jump aboard their beta for .jar signing, too.
Are those interested in .jar signing/ant, maven integration ready to take
a look at this?
Re: [Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Posted by Brett Porter <br...@apache.org>.
On 15/12/2011, at 9:31 AM, William A. Rowe Jr. wrote:
> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>> On the subject of signing jars, Windows binaries and .msi installer
>> packages, it seems that infra-dev is partial to the ability to revoke
>> package signatures if an artifact is not released or is found to have
>> been corrupted, and that the code signing service from Symantec /
>> VeriSign / Thawte is the way to go here.
>>
>> I spoke with Richard and Dean who confirmed that this service would
>> be offered at no cost to the ASF. User accounts would be as one of two
>> roles, an administrator (root-ish) level and a publisher (committer)
>> who needs to sign packages. There is no integration at present for
>> PAM style authentication into our ldap, or SSO solution in this
>> specific service so we would have to create accounts for each committer
>> who is doing signed binary releases.
>>
>> It is batch-able and can be automated. Obviously there is some work
>> around setting up that functionality, but it can run on the signers
>> own PC as opposed to a central repository. Here's a background paper
>> on the code signing portal itself;
>>
>> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>>
>> It is due a major revision entering(or already in?) beta. That version
>> introduces support for .jar signing in addition to Win binary/msi signing.
>> I asked and they are researching whether Apache could be invited to
>> participate in the beta, since we would only just be getting up to speed
>> by the time that portal version launches.
>>
>> One major step would be for Sam, who is both our Legal VP and Infra VP,
>> to review the actual agreement/paperwork in detail and determine that
>> it would be something we are able to sign. Dean, could you forward that
>> to Sam, even as we all learn more about the service and come to a decision
>> of whether we should adopt it or not?
>
> What say we?
>
> Has everyone interested had an opportunity to raise any questions already?
>
> I'm +1 here, this seems like the straightest line, and I would love to start
> investigating how to automate using their API. I'd like to see if we can't
> jump aboard their beta for .jar signing, too.
>
> Are those interested in .jar signing/ant, maven integration ready to take
> a look at this?
I'm interested, but a bit short on time. If it did get set up I could probably help with those things though.
- Brett
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter