You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Mark Thomas <ma...@apache.org> on 2018/01/23 06:33:56 UTC
[Signing] New component for code signing
All,
As you may know, the ASF has been using a code signing service for a
number of years provided by Symantec. We use it to sign Commons Daemon
Windows binaries.
The code signing service has a web based GUI and a SOAP based API.
Tomcat has written an Ant task to use the SOAP API and Sling has taken
this used and used it as the basis for a Maven plug-in.
Currently, the Ant task is hosted within the Tomcat codebase and the
Maven plug-in within Sling. Both communities would like to move this to
a better home where it can more easily be re-used by other Apache
projects and other organisations using Symantec's code signing service.
After some thought and discussion, we (Robert Munteanu and I) would like
to propose this code signing component as a new component at Commons.
Our reasons for this are as follows:
- The code is written in Java
- It is a relatively small component
- It is a utility likely to be of interest to multiple Apache projects
- If it is going to be re-used across multiple projects, it needs to be
formally released and that requires a PMC
If accepted the plan would be:
- commit the original Tomcat code for the Ant task
- refactor it to allow re-use of code common to the Ant task and Maven
plug-in
- add the Maven plug-in
- release it as a single JAR that provided both the Ant task and the
Maven plug-in
- Ongoing review and maintenance (there are a couple of areas that could
benefit from some improvement)
Thoughts? Comments?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Rob Tompkins <ch...@gmail.com>.
+1
> On Jan 24, 2018, at 4:05 PM, Gary Gregory <ga...@gmail.com> wrote:
>
> +1
>
> Gary
>
>> On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <br...@apache.org> wrote:
>>
>> Hello Mark,
>>
>> +1 In my opinion this is exactly what Commons should be doing.
>>
>> Regards,
>> Benedikt
>>
>> Mark Thomas <ma...@apache.org> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>>
>>> All,
>>>
>>> As you may know, the ASF has been using a code signing service for a
>>> number of years provided by Symantec. We use it to sign Commons Daemon
>>> Windows binaries.
>>>
>>> The code signing service has a web based GUI and a SOAP based API.
>>> Tomcat has written an Ant task to use the SOAP API and Sling has taken
>>> this used and used it as the basis for a Maven plug-in.
>>>
>>> Currently, the Ant task is hosted within the Tomcat codebase and the
>>> Maven plug-in within Sling. Both communities would like to move this to
>>> a better home where it can more easily be re-used by other Apache
>>> projects and other organisations using Symantec's code signing service.
>>>
>>> After some thought and discussion, we (Robert Munteanu and I) would like
>>> to propose this code signing component as a new component at Commons.
>>> Our reasons for this are as follows:
>>>
>>> - The code is written in Java
>>> - It is a relatively small component
>>> - It is a utility likely to be of interest to multiple Apache projects
>>> - If it is going to be re-used across multiple projects, it needs to be
>>> formally released and that requires a PMC
>>>
>>> If accepted the plan would be:
>>> - commit the original Tomcat code for the Ant task
>>> - refactor it to allow re-use of code common to the Ant task and Maven
>>> plug-in
>>> - add the Maven plug-in
>>> - release it as a single JAR that provided both the Ant task and the
>>> Maven plug-in
>>> - Ongoing review and maintenance (there are a couple of areas that could
>>> benefit from some improvement)
>>>
>>> Thoughts? Comments?
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Robert Munteanu <ro...@apache.org>.
On Tue, 2018-01-30 at 15:57 +0100, Bernd Eckenfels wrote:
> Well, there are plans by me. I would not invest time in a project
> nobody else can use…
>
> Maybe there can be some consensus on a common protocol.
Ah, sorry - I thought you meant the plans for this particular
submission.
There can be of course plans for server-side code signing components.
Thanks,
Robert
>
> Gruss
> Bernd
>
> Von: Robert Munteanu
> Gesendet: Dienstag, 30. Januar 2018 11:21
> An: Commons Developers List
> Betreff: Re: [Signing] New component for code signing
>
> Hi Bernd,
>
> On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> > +1 - and I would expect we also see a Server-side component.
> >
> > BTW: Eclipse also has some infrastructure for this (we use a
> > modified
> > Version with a PHP backend on-prem)
> >
> > http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins
> > /R
> > EADME.md
>
> For reference, the server-side part is provided and hosted by
> Symantec,
> so there are no immediate plans to add a server-side component.
>
> Thanks,
>
> Robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: [Signing] New component for code signing
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
Well, there are plans by me. I would not invest time in a project nobody else can use…
Maybe there can be some consensus on a common protocol.
Gruss
Bernd
Von: Robert Munteanu
Gesendet: Dienstag, 30. Januar 2018 11:21
An: Commons Developers List
Betreff: Re: [Signing] New component for code signing
Hi Bernd,
On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> +1 - and I would expect we also see a Server-side component.
>
> BTW: Eclipse also has some infrastructure for this (we use a modified
> Version with a PHP backend on-prem)
>
> http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/R
> EADME.md
For reference, the server-side part is provided and hosted by Symantec,
so there are no immediate plans to add a server-side component.
Thanks,
Robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Robert Munteanu <ro...@apache.org>.
Hi Bernd,
On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> +1 - and I would expect we also see a Server-side component.
>
> BTW: Eclipse also has some infrastructure for this (we use a modified
> Version with a PHP backend on-prem)
>
> http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/R
> EADME.md
For reference, the server-side part is provided and hosted by Symantec,
so there are no immediate plans to add a server-side component.
Thanks,
Robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
+1 - and I would expect we also see a Server-side component.
BTW: Eclipse also has some infrastructure for this (we use a modified Version with a PHP backend on-prem)
http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/README.md
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: Gary Gregory
Gesendet: Mittwoch, 24. Januar 2018 22:05
An: Commons Developers List
Betreff: Re: [Signing] New component for code signing
+1
Gary
On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <br...@apache.org> wrote:
> Hello Mark,
>
> +1 In my opinion this is exactly what Commons should be doing.
>
> Regards,
> Benedikt
>
> Mark Thomas <ma...@apache.org> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> > formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> > plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> > Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> > benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
Re: [Signing] New component for code signing
Posted by Gary Gregory <ga...@gmail.com>.
+1
Gary
On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <br...@apache.org> wrote:
> Hello Mark,
>
> +1 In my opinion this is exactly what Commons should be doing.
>
> Regards,
> Benedikt
>
> Mark Thomas <ma...@apache.org> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> > formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> > plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> > Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> > benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
Re: [Signing] New component for code signing
Posted by Benedikt Ritter <br...@apache.org>.
Hello Mark,
+1 In my opinion this is exactly what Commons should be doing.
Regards,
Benedikt
Mark Thomas <ma...@apache.org> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We use it to sign Commons Daemon
> Windows binaries.
>
> The code signing service has a web based GUI and a SOAP based API.
> Tomcat has written an Ant task to use the SOAP API and Sling has taken
> this used and used it as the basis for a Maven plug-in.
>
> Currently, the Ant task is hosted within the Tomcat codebase and the
> Maven plug-in within Sling. Both communities would like to move this to
> a better home where it can more easily be re-used by other Apache
> projects and other organisations using Symantec's code signing service.
>
> After some thought and discussion, we (Robert Munteanu and I) would like
> to propose this code signing component as a new component at Commons.
> Our reasons for this are as follows:
>
> - The code is written in Java
> - It is a relatively small component
> - It is a utility likely to be of interest to multiple Apache projects
> - If it is going to be re-used across multiple projects, it needs to be
> formally released and that requires a PMC
>
> If accepted the plan would be:
> - commit the original Tomcat code for the Ant task
> - refactor it to allow re-use of code common to the Ant task and Maven
> plug-in
> - add the Maven plug-in
> - release it as a single JAR that provided both the Ant task and the
> Maven plug-in
> - Ongoing review and maintenance (there are a couple of areas that could
> benefit from some improvement)
>
> Thoughts? Comments?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [Signing] New component for code signing
Posted by Matt Sicker <bo...@gmail.com>.
+1 (non-binding)
I'd find such a plugin useful for Apache Chainsaw in the future. Any other
Java GUI apps at Apache could benefit as well.
On 24 January 2018 at 17:19, Hasan Diwan <ha...@gmail.com> wrote:
> +1
>
> On 22 January 2018 at 22:33, Mark Thomas <ma...@apache.org> wrote:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> > formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> > plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> > Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> > benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
>
> --
> OpenPGP:
> https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
> If you wish to request my time, please do so using
> http://bit.ly/hd1ScheduleRequest.
> Si vous voudrais faire connnaisance, allez a
> http://bit.ly/hd1ScheduleRequest.
>
> <https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
> >Sent
> from my mobile device
> Envoye de mon portable
>
--
Matt Sicker <bo...@gmail.com>
Re: [Signing] New component for code signing
Posted by Hasan Diwan <ha...@gmail.com>.
+1
On 22 January 2018 at 22:33, Mark Thomas <ma...@apache.org> wrote:
> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We use it to sign Commons Daemon
> Windows binaries.
>
> The code signing service has a web based GUI and a SOAP based API.
> Tomcat has written an Ant task to use the SOAP API and Sling has taken
> this used and used it as the basis for a Maven plug-in.
>
> Currently, the Ant task is hosted within the Tomcat codebase and the
> Maven plug-in within Sling. Both communities would like to move this to
> a better home where it can more easily be re-used by other Apache
> projects and other organisations using Symantec's code signing service.
>
> After some thought and discussion, we (Robert Munteanu and I) would like
> to propose this code signing component as a new component at Commons.
> Our reasons for this are as follows:
>
> - The code is written in Java
> - It is a relatively small component
> - It is a utility likely to be of interest to multiple Apache projects
> - If it is going to be re-used across multiple projects, it needs to be
> formally released and that requires a PMC
>
> If accepted the plan would be:
> - commit the original Tomcat code for the Ant task
> - refactor it to allow re-use of code common to the Ant task and Maven
> plug-in
> - add the Maven plug-in
> - release it as a single JAR that provided both the Ant task and the
> Maven plug-in
> - Ongoing review and maintenance (there are a couple of areas that could
> benefit from some improvement)
>
> Thoughts? Comments?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
--
OpenPGP:
https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using
http://bit.ly/hd1ScheduleRequest.
Si vous voudrais faire connnaisance, allez a
http://bit.ly/hd1ScheduleRequest.
<https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1>Sent
from my mobile device
Envoye de mon portable
Re: [Signing] New component for code signing
Posted by Rob Tompkins <ch...@gmail.com>.
> On Feb 1, 2018, at 5:28 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 01/02/18 22:08, Emmanuel Bourg wrote:
>>> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>>>
>>> Thoughts? Comments?
>>
>> +1
+1
>>
>> I might even be able to contribute some elements I developed for my
>> jsign project [1]. jsign is able to sign Windows executables but using a
>> local signing certificate or a PKCS#11 token. It comes with an Ant task,
>> a Maven plugin, a Gradle plugin and also a command line tool.
>>
>> Will the scope be limited to the Symantec signing service?
>
> I see no reason to limit the scope that way. There might be some
> opportunities to re-use code.
>
> There looks to be general agreement that this proposal is a good idea so
> I'll start a formal VOTE shortly - probably tomorrow now
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Mark Thomas <ma...@apache.org>.
On 01/02/18 22:08, Emmanuel Bourg wrote:
> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>
>> Thoughts? Comments?
>
> +1
>
> I might even be able to contribute some elements I developed for my
> jsign project [1]. jsign is able to sign Windows executables but using a
> local signing certificate or a PKCS#11 token. It comes with an Ant task,
> a Maven plugin, a Gradle plugin and also a command line tool.
>
> Will the scope be limited to the Symantec signing service?
I see no reason to limit the scope that way. There might be some
opportunities to re-use code.
There looks to be general agreement that this proposal is a good idea so
I'll start a formal VOTE shortly - probably tomorrow now
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Signing] New component for code signing
Posted by Emmanuel Bourg <eb...@apache.org>.
Le 23/01/2018 à 07:33, Mark Thomas a écrit :
> Thoughts? Comments?
+1
I might even be able to contribute some elements I developed for my
jsign project [1]. jsign is able to sign Windows executables but using a
local signing certificate or a PKCS#11 token. It comes with an Ant task,
a Maven plugin, a Gradle plugin and also a command line tool.
Will the scope be limited to the Symantec signing service?
Emmanuel Bourg
[1] https://ebourg.github.io/jsign/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org