Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:

>
> On Jul 19, 2012, at 11:16 AM, Om wrote:
>
> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>
>> Hi Dave,
>>
>> Our hosted signing service does not currently provide the ability to sign
>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>> website:
>>
>> http://www.symantec.com/verisign/code-signing/adobe-air
>>
>> Would this work for you?  Please let us know if you have any questions.
>>
>> Thanks,
>>
>> Rich
>>
>>
> Rich,
>
> This would work perfectly fine for us.
>
>
> Om,
>
> And now the question is for the Apache Infrastructure team. Assuming that
> an apache.org certificate for signing AIr applications is purchased The
> ASF how will it be handled? And that is the other thread.
>
> Thanks,
> Dave
>
>
Do we know if there has been any work/discussion on this?  We are preparing
our installer app for release and valid certificate would be very good to
have.

What should I (or infra) do to get this certificate approved and purchased
for us by us?  How can I help speed up this process?

Thanks,
Om

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Rob Weir <ro...@apache.org>]

On Thu, Aug 16, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:
>
>> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>>> Maybe infra-structure can give me feedback what doesn't work with these
>>> proposals. And as typical at Apache if you have concerns (-1) come up
>>> with another proposal that fulfill better the needs of infra-structure
>>
>> Infra do have veto power over PMCs with respect to solutions that
>> involve obtaining and maintaining any sort of central secret (e.g.,
>> certificate private key).
>>
>> Now, would you quit citing policies of this org to people who had been
>> Members thereof before you heard of it?
>
> One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.
>

I like the direction this is headed.  One consideration is whether
every build is signed or whether this is done only on request.  If
done on request we need to determine how a request is made.  The more
complicated case is with security-fix related releases where there
would a need to keep the existence and timing of that release private
until the last possible opportunity.

-Rob


> Perhaps that would meet Infrastructure's approval?
>
> So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.
>
> Regards,
> Dave
>
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:

> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>> Maybe infra-structure can give me feedback what doesn't work with these
>> proposals. And as typical at Apache if you have concerns (-1) come up
>> with another proposal that fulfill better the needs of infra-structure
> 
> Infra do have veto power over PMCs with respect to solutions that
> involve obtaining and maintaining any sort of central secret (e.g.,
> certificate private key).
> 
> Now, would you quit citing policies of this org to people who had been
> Members thereof before you heard of it?

One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with project provided setups which would be run by the Infrastructure team that would include certificates that were under Infrastructure's control. These buildbots would be based on the project's ci buildbots. Infrastructure would be given the release tag and would be able to fully build each of the binary artifacts on the appropriate OS.

Perhaps that would meet Infrastructure's approval?

So far these proposals have been met with lazy -1's. Please tell us what is wrong with these ideas? This really is a good faith attempt to be compliant with what we all agree are important policies. Specifically assuring that the ASF's credibility is not in any way damaged by the misuse of an apache.org digital signing certificate.

Regards,
Dave

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Daniel Shahaf <d....@daniel.shahaf.name>]

Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
> Maybe infra-structure can give me feedback what doesn't work with these
> proposals. And as typical at Apache if you have concerns (-1) come up
> with another proposal that fulfill better the needs of infra-structure

Infra do have veto power over PMCs with respect to solutions that
involve obtaining and maintaining any sort of central secret (e.g.,
certificate private key).

Now, would you quit citing policies of this org to people who had been
Members thereof before you heard of it?

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Bertrand Delacretaz <bd...@apache.org>]

Hi Rob,

On Wed, Aug 29, 2012 at 7:27 PM, Rob Weir <ro...@apache.org> wrote:
> ...In any case, the root page is "immutable" for me.  Can someone with
> sufficient rights create the new page?...

I have created http://wiki.apache.org/general/ASFCodeSigning and made
some suggestions in there as to how to go forward.

-Bertrand

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Rob Weir <ro...@apache.org>]

On Fri, Aug 17, 2012 at 12:29 PM, Tony Stevenson <pc...@apache.org> wrote:
>
> On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:
>
>> wiki.a.o/general/FooSSLPageHere or some such would be fine with me.
>

As a top-level page?  Or would we prefer to structure it as an
infra-dev root page and a code signing page linked from there?

In any case, the root page is "immutable" for me.  Can someone with
sufficient rights create the new page?

-Rob

> Actually the more I think about it, the better this seems.  Once all the proposals are ready for review please ping us and we can take it on, then.  That would be infinitely easier that collating all the emails on the topic.
>
>
>
> Tony
>
> ---------------------------------------
> Tony Stevenson
>
> tony@pc-tony.com // pctony@apache.org
> tony@caret.cam.ac.uk
>
> http://blog.pc-tony.com
>
> GPG - 1024D/51047D66
> --------------------------------------
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

On 17 Aug 2012, at 12:38, Tony Stevenson <to...@pc-tony.com> wrote:

> wiki.a.o/general/FooSSLPageHere or some such would be fine with me. 

Actually the more I think about it, the better this seems.  Once all the proposals are ready for review please ping us and we can take it on, then.  That would be infinitely easier that collating all the emails on the topic.  



Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <to...@pc-tony.com>]

On 17 Aug 2012, at 12:35, Bertrand Delacretaz <bd...@apache.org> wrote:

> On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
> <wr...@rowe-clan.net> wrote:
>> ...If this proposal is also added to a Wiki, I think it will become less confusing
>> for folks to follow....
> 
> Big +1, considering that it's a somewhat disjoint group of people who
> are interested in this, I would suggest that representatives of the
> projects that need this work together on a wiki page that defines
> their *requirements* (without talking about tools at first, if
> possible, or at least clearly separate the core requirements from
> tools suggestions) so that infra and others can look at that and
> attack the problem at its core.
> 

wiki.a.o/general/FooSSLPageHere or some such would be fine with me. 
 

> I assume it's fine to use this list to coordinate this requirements work.
> 
> -Bertrand


Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Bertrand Delacretaz <bd...@apache.org>]

On Thu, Aug 16, 2012 at 8:47 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> ...If this proposal is also added to a Wiki, I think it will become less confusing
> for folks to follow....

Big +1, considering that it's a somewhat disjoint group of people who
are interested in this, I would suggest that representatives of the
projects that need this work together on a wiki page that defines
their *requirements* (without talking about tools at first, if
possible, or at least clearly separate the core requirements from
tools suggestions) so that infra and others can look at that and
attack the problem at its core.

I assume it's fine to use this list to coordinate this requirements work.

-Bertrand

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/16/2012 1:25 PM, Om wrote:
> On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:
> 
>> Tony,
>>
>> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
>> proposal: [1]
>> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
>> original proposal so that it works for Apache Flex as well: [2]
>>
>> Can you please take a look at let me know if this works and what else
>> needs to be answered?
>>
>> Thanks,
>> Om
>>
>> [1] http://markmail.org/message/2xx5ia72b6xestur
>> [2] http://markmail.org/message/chupjp5tsuosiu23
>>
>>
> Before this gets buried, I want to highlight the current proposals on the
> table and ask for feedback.  If we get feedback, we will be able to move
> forward.

If this proposal is also added to a Wiki, I think it will become less confusing
for folks to follow.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

On Wed, Aug 15, 2012 at 3:53 PM, Om <bi...@gmail.com> wrote:

> Tony,
>
> On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
> proposal: [1]
> On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
> original proposal so that it works for Apache Flex as well: [2]
>
> Can you please take a look at let me know if this works and what else
> needs to be answered?
>
> Thanks,
> Om
>
> [1] http://markmail.org/message/2xx5ia72b6xestur
> [2] http://markmail.org/message/chupjp5tsuosiu23
>
>
Before this gets buried, I want to highlight the current proposals on the
table and ask for feedback.  If we get feedback, we will be able to move
forward.

Thanks,
Om

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Om <bi...@gmail.com>]

Tony,

On July 13, 2012, Jürgen Schmidt from the Apache OOO project made this
proposal: [1]
On July 18, 2012, I followed up with a couple of tweaks to Jurgen's
original proposal so that it works for Apache Flex as well: [2]

Can you please take a look at let me know if this works and what else needs
to be answered?

Thanks,
Om

[1] http://markmail.org/message/2xx5ia72b6xestur
[2] http://markmail.org/message/chupjp5tsuosiu23

On Wed, Aug 15, 2012 at 3:20 PM, Tony Stevenson <pc...@apache.org> wrote:

>
>
> Sent from my iPad
>
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>
> > On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >
> >>
> >> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>
> >> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>
> >>> Hi Dave,
> >>>
> >>> Our hosted signing service does not currently provide the ability to
> sign
> >>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>> website:
> >>>
> >>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>
> >>> Would this work for you?  Please let us know if you have any questions.
> >>>
> >>> Thanks,
> >>>
> >>> Rich
> >>>
> >>>
> >> Rich,
> >>
> >> This would work perfectly fine for us.
> >>
> >>
> >> Om,
> >>
> >> And now the question is for the Apache Infrastructure team. Assuming
> that
> >> an apache.org certificate for signing AIr applications is purchased The
> >> ASF how will it be handled? And that is the other thread.
> >>
> >> Thanks,
> >> Dave
> >>
> >>
> > Do we know if there has been any work/discussion on this?  We are
> preparing
> > our installer app for release and valid certificate would be very good to
> > have.
> >
> > What should I (or infra) do to get this certificate approved and
> purchased
> > for us by us?  How can I help speed up this process?
> >
> > Thanks,
> > Om
>
>
> Om,
>
> We, infra, are still waiting for someone to come to us with a proposal on
> how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
>
> Unto, we are receipt of such, and we have had a chance to review the same
> we won't be purchasing any such certificate, and no project should be going
> direct to any supplier to do the same. There are very real concerns we have
> and we want to see them fully addressed before proceeding.
>
> To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

On Aug 16, 2012, at 12:08 AM, Jürgen Schmidt wrote:

> On 8/16/12 1:38 AM, Dave Fisher wrote:
>> Hi Tony,
>> 
>> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
>> 
>> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
>> 
> it can be a duplicate image of the Windows build bot where the
> certificate is installed. The builds have to be triggered by someone who
> have access to this machine. But we can of course automate it probably
> to simply start a script and give a revision as input

Exactly.

> 
> 
>> I think that Flex will want both Windows and Mac buildbots as well.
> 
> AOO in the future as well

Andrew is waiting for the Mac buildbot - here is the buildbot master JIRA for AOO - INFRA-4197 More Buildbots for Apache OpenOffice

> 
>> 
>> INFRA-4902 Create Mac buildbot
>> 
>> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
> 
> What exactly are your problems, which system do you use, Mountian Lion?
> Until today I am note aware that anybody has built AOO on Mountain Lion
> and even on Lion it requires some work. Apple/MacOS is not really
> developer friendly if you don't walk inside the "closed" Apple world ;-)

I've got past this issue. cpan had its permissions changed removing the a+x.

I had to upgrade LWP::UserAgent in cpan. cpan install only saw I had LWP::UserAgent and this was missing the show_progress method.

I'm on MacOSX 10.6.8

> 
>> 
>> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)
> 
> that's true, signing from Apple or from a developer with a official and
> register Apple developer ID. I haven't analyzed the signing process on
> Mountain Lion in detail so far but that is on the list.

My newer Mac is on Lion w/a free Mountain Lion upgrade, but I haven't had the free time to move everything around as I need more backup disk space first.

And yes this is a detail.

> 
> Juergen
> 
>> 
>> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
>> 
>> Regards,
>> Dave 
>> 
>> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>> 
>>> 
>>> 
>>> Sent from my iPad
>>> 
>>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>> 
>>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>> 
>>>>> 
>>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>> 
>>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>> 
>>>>>> Hi Dave,
>>>>>> 
>>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>>> website:
>>>>>> 
>>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>> 
>>>>>> Would this work for you?  Please let us know if you have any questions.
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Rich
>>>>>> 
>>>>>> 
>>>>> Rich,
>>>>> 
>>>>> This would work perfectly fine for us.
>>>>> 
>>>>> 
>>>>> Om,
>>>>> 
>>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>>> an apache.org certificate for signing AIr applications is purchased The
>>>>> ASF how will it be handled? And that is the other thread.
>>>>> 
>>>>> Thanks,
>>>>> Dave
>>>>> 
>>>>> 
>>>> Do we know if there has been any work/discussion on this?  We are preparing
>>>> our installer app for release and valid certificate would be very good to
>>>> have.
>>>> 
>>>> What should I (or infra) do to get this certificate approved and purchased
>>>> for us by us?  How can I help speed up this process?
>>>> 
>>>> Thanks,
>>>> Om
>>> 
>>> 
>>> Om, 
>>> 
>>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
>>> 
>>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
>>> 
>>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
>> 
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Jürgen Schmidt <jo...@gmail.com>]

On 8/16/12 1:38 AM, Dave Fisher wrote:
> Hi Tony,
> 
> The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.
> 
> Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.
> 
it can be a duplicate image of the Windows build bot where the
certificate is installed. The builds have to be triggered by someone who
have access to this machine. But we can of course automate it probably
to simply start a script and give a revision as input


> I think that Flex will want both Windows and Mac buildbots as well.

AOO in the future as well

> 
> INFRA-4902 Create Mac buildbot
> 
> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)

What exactly are your problems, which system do you use, Mountian Lion?
Until today I am note aware that anybody has built AOO on Mountain Lion
and even on Lion it requires some work. Apple/MacOS is not really
developer friendly if you don't walk inside the "closed" Apple world ;-)

> 
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)

that's true, signing from Apple or from a developer with a official and
register Apple developer ID. I haven't analyzed the signing process on
Mountain Lion in detail so far but that is on the list.

Juergen

> 
> Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."
> 
> Regards,
> Dave 
> 
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
> 
>>
>>
>> Sent from my iPad
>>
>> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
>>
>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>>
>>>>
>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>
>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>>
>>>>> Hi Dave,
>>>>>
>>>>> Our hosted signing service does not currently provide the ability to sign
>>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>>> website:
>>>>>
>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>
>>>>> Would this work for you?  Please let us know if you have any questions.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Rich
>>>>>
>>>>>
>>>> Rich,
>>>>
>>>> This would work perfectly fine for us.
>>>>
>>>>
>>>> Om,
>>>>
>>>> And now the question is for the Apache Infrastructure team. Assuming that
>>>> an apache.org certificate for signing AIr applications is purchased The
>>>> ASF how will it be handled? And that is the other thread.
>>>>
>>>> Thanks,
>>>> Dave
>>>>
>>>>
>>> Do we know if there has been any work/discussion on this?  We are preparing
>>> our installer app for release and valid certificate would be very good to
>>> have.
>>>
>>> What should I (or infra) do to get this certificate approved and purchased
>>> for us by us?  How can I help speed up this process?
>>>
>>> Thanks,
>>> Om
>>
>>
>> Om, 
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
>>
>> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
>>
>> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.
> 

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Scott Deboy <sc...@gmail.com>]

Chainsaw also has a need to deliver a Mac image (DMG) as well as signed
jars for web start deployment.  I assume the DMG would need the same
support mentioned for Mountain Lion.

Scott

On Wed, Aug 15, 2012 at 4:38 PM, Dave Fisher <da...@comcast.net> wrote:

> Hi Tony,
>
> The bounds are very tight. I thought that Jürgen was pretty clear about
> how the reality of the current build makes it difficult to create a bot to
> do this. His proposal is essentially special buildbots under infra's
> control.
>
> Perhaps if AOO had all the various requested buildbots we might figure out
> how to make the proposed special buildbot that only infra can control
> because it has these special certificates.
>
> I think that Flex will want both Windows and Mac buildbots as well.
>
> INFRA-4902 Create Mac buildbot
>
> (I just entered perl / cpan hell and going into time machine due to a
> missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working
> buildbot would have caught this issue.)
>
> BTW - Mountain Lion is requiring Signing Certs from Apple and not others.
> (It's what I hear on the street, am I wrong Dean and Richard?)
>
> Does it make sense to proceed with platforms that are needed for CI and
> where the signing solution would possibly "live."
>
> Regards,
> Dave
>
> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>
> >
> >
> > Sent from my iPad
> >
> > On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> >
> >> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net>
> wrote:
> >>
> >>>
> >>> On Jul 19, 2012, at 11:16 AM, Om wrote:
> >>>
> >>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <
> Richard_Hall@symantec.com>wrote:
> >>>
> >>>> Hi Dave,
> >>>>
> >>>> Our hosted signing service does not currently provide the ability to
> sign
> >>>> Air applications, but we do offer Code Signing certs for Adobe Air
> from our
> >>>> website:
> >>>>
> >>>> http://www.symantec.com/verisign/code-signing/adobe-air
> >>>>
> >>>> Would this work for you?  Please let us know if you have any
> questions.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Rich
> >>>>
> >>>>
> >>> Rich,
> >>>
> >>> This would work perfectly fine for us.
> >>>
> >>>
> >>> Om,
> >>>
> >>> And now the question is for the Apache Infrastructure team. Assuming
> that
> >>> an apache.org certificate for signing AIr applications is purchased
> The
> >>> ASF how will it be handled? And that is the other thread.
> >>>
> >>> Thanks,
> >>> Dave
> >>>
> >>>
> >> Do we know if there has been any work/discussion on this?  We are
> preparing
> >> our installer app for release and valid certificate would be very good
> to
> >> have.
> >>
> >> What should I (or infra) do to get this certificate approved and
> purchased
> >> for us by us?  How can I help speed up this process?
> >>
> >> Thanks,
> >> Om
> >
> >
> > Om,
> >
> > We, infra, are still waiting for someone to come to us with a proposal
> on how to deploy this within the bounds we have laid out several times both
> here and in Jira. We won't just randomly set something up.
> >
> > Unto, we are receipt of such, and we have had a chance to review the
> same we won't be purchasing any such certificate, and no project should be
> going direct to any supplier to do the same. There are very real concerns
> we have and we want to see them fully addressed before proceeding.
> >
> > To be clear, this needs to stop at this juncture until we ae happy to
> proceed. If you require this for delivery of a binary installer, can I
> suggest that you and your project, perhaps in conjunction with another
> projects come up with this plan we have asked for.
>
>

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Dave Fisher <da...@comcast.net>]

Hi Tony,

The bounds are very tight. I thought that Jürgen was pretty clear about how the reality of the current build makes it difficult to create a bot to do this. His proposal is essentially special buildbots under infra's control.

Perhaps if AOO had all the various requested buildbots we might figure out how to make the proposed special buildbot that only infra can control because it has these special certificates.

I think that Flex will want both Windows and Mac buildbots as well.

INFRA-4902 Create Mac buildbot

(I just entered perl / cpan hell and going into time machine due to a missing prerequisite in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)

BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what I hear on the street, am I wrong Dean and Richard?)

Does it make sense to proceed with platforms that are needed for CI and where the signing solution would possibly "live."

Regards,
Dave 

On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:

> 
> 
> Sent from my iPad
> 
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> 
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>> 
>>> 
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>> 
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>> 
>>>> Hi Dave,
>>>> 
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>> 
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>> 
>>>> Would this work for you?  Please let us know if you have any questions.
>>>> 
>>>> Thanks,
>>>> 
>>>> Rich
>>>> 
>>>> 
>>> Rich,
>>> 
>>> This would work perfectly fine for us.
>>> 
>>> 
>>> Om,
>>> 
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>> 
>>> Thanks,
>>> Dave
>>> 
>>> 
>> Do we know if there has been any work/discussion on this?  We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>> 
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us?  How can I help speed up this process?
>> 
>> Thanks,
>> Om
> 
> 
> Om, 
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
> 
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Jürgen Schmidt <jo...@gmail.com>]

On 8/16/12 12:20 AM, Tony Stevenson wrote:
> 
> 
> Sent from my iPad
> 
> On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:
> 
>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>>>
>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>
>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Our hosted signing service does not currently provide the ability to sign
>>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>>> website:
>>>>
>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>
>>>> Would this work for you?  Please let us know if you have any questions.
>>>>
>>>> Thanks,
>>>>
>>>> Rich
>>>>
>>>>
>>> Rich,
>>>
>>> This would work perfectly fine for us.
>>>
>>>
>>> Om,
>>>
>>> And now the question is for the Apache Infrastructure team. Assuming that
>>> an apache.org certificate for signing AIr applications is purchased The
>>> ASF how will it be handled? And that is the other thread.
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>> Do we know if there has been any work/discussion on this?  We are preparing
>> our installer app for release and valid certificate would be very good to
>> have.
>>
>> What should I (or infra) do to get this certificate approved and purchased
>> for us by us?  How can I help speed up this process?
>>
>> Thanks,
>> Om
> 
> 
> Om, 
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 
> 
> To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for. 
> 

It's possible that I completely misunderstand you but I think that I
have provided 2 proposals how such a process can be handled by the
example of AOO. And I offered my help to setup for example a special
build machine (1 of my proposals).

I have also explained in detail how complex it is in case of AOO and
that it is a 2 step process.

Maybe infra-structure can give me feedback what doesn't work with these
proposals. And as typical at Apache if you have concerns (-1) come up
with another proposal that fulfill better the needs of infra-structure
and of course the projects who need the signing process. I have thought
about it and discussed it with some colleagues and we have no better
proposal so far.

But we should really drive this forward. If it comes out that it is not
possible at all, we should figure out if it is possible to find an
external sponsor for a certificate that we can use to sign the binaries.

Regards
Juergen

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/16/2012 7:52 AM, Mark Thomas wrote:
> 
> I suggest you read the entire thread and then consider offering the
> Infra team generally and Tony specifically an apology.

I have, there is a pdf whitepaper in the archives that Tony can refer
back to, if he were interested.  We have iterated the logic on any
number of occassions in the past year, and I spelled out exactly my
logic on dropping an offer of building an incomplete code signing
service on ASF hardware.  We simply cannot provide the same detail
and control that the Symantec plan offers.

There are two further interactions with Symantec on this subject, one
is for Sam in a position of authority or another to approach Symantec
for the precise details of their offer.  The other is to gather the
implementation details and I suspect that beta access to this service
is going to be required to determine how all the bits can be married
together across various build systems, including Maven.

I'm going to attribute his claim that nobody has provided any detailed
proposal to email overload and a request for collecting that data on
some wiki.

Sorry Tony.  Please point me to the wiki you wish me to use to gather
the relevant email-archived details?

> Om & Dave Fisher asked about siging Adobe Air applications
> 
> Richard Hall stated that the Symantec signing service *does not* support
> Adobe Air but that a code signing cert could be made available.
> 
> Om asked if there has been any progress.
> 
> Tony replied (again) that a concrete proposal needs to be made for an
> ASF hosted signing service for infrastructure to consider. Some ideas
> have been floated but there has not yet been a proposal in sufficient
> level of detail for infrastructure to evaluate.
> 
> The Symantec service may solve some problems but it is not a panacea.

Agreed in part (Apple being a huge enigma).  But if Apple certs are per
Apple ADC developer, we have far fewer issues that dealing with org sigs.
This becomes the equivalent of GPG keys.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Mark Thomas <ma...@apache.org>]

On 16/08/2012 06:38, William A. Rowe Jr. wrote:
> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>>
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.
> 
> In the Symantec proposal, each artifact is individually audited and
> revocable.  Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this).  Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.
> 
> The most sensical proposal is in front of your face, so your statement
> is completely crap.

Bill,

I suggest you read the entire thread and then consider offering the
Infra team generally and Tony specifically an apology.

Om & Dave Fisher asked about siging Adobe Air applications

Richard Hall stated that the Symantec signing service *does not* support
Adobe Air but that a code signing cert could be made available.

Om asked if there has been any progress.

Tony replied (again) that a concrete proposal needs to be made for an
ASF hosted signing service for infrastructure to consider. Some ideas
have been floated but there has not yet been a proposal in sufficient
level of detail for infrastructure to evaluate.

The Symantec service may solve some problems but it is not a panacea.

Mark

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

On 16 Aug 2012, at 06:38, "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:

> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>> 
>> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 
> 
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.

What offers?  Use Symantec?  Thats hardly a detailed proposal as we have stated we want.  

> In the Symantec proposal, each artifact is individually audited and
> revocable.  Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this).  Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.

Interesting, why has no one mentioned this level of detail before?  Where is the detailed proposal around this offering?  We are not just going to allow projects to say 'lets use Symantec (as good, or as poor as their offering may be) - we'll figure out the details later'. We have been very clear about this from day one. 

All we have asked for is a detailed proposal (which I don't take your email to be as such). That we will review and decide on thereafter.  

> The most sensical proposal is in front of your face, so your statement
> is completely crap.

Take your acrimonious pain in the ass attitude and use it somewhere more sensible please Bill. 



Cheers,
Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------


Tony

---------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk

http://blog.pc-tony.com

GPG - 1024D/51047D66
--------------------------------------

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 8/15/2012 5:20 PM, Tony Stevenson wrote:
> 
> We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 

I don't know how it's possible for infra to remain so deaf and ignorant
to the offers on the table.

In the Symantec proposal, each artifact is individually audited and
revocable.  Admin rights remain entirely in infra root's hands (given
some basic trust to the agency which issues most every code signing
certificate, every trust model has some issues like this).  Committers
continue to generate artifacts as they always have and are accountable
for the bits they sign with ASF credentials, without ever possessing
the keys to sign arbitrary objects outside of the auditable schema.

The most sensical proposal is in front of your face, so your statement
is completely crap.

Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

[Tony Stevenson <pc...@apache.org>]

Sent from my iPad

On 15 Aug 2012, at 23:09, Om <bi...@gmail.com> wrote:

> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <da...@comcast.net> wrote:
> 
>> 
>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>> 
>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Ri...@symantec.com>wrote:
>> 
>>> Hi Dave,
>>> 
>>> Our hosted signing service does not currently provide the ability to sign
>>> Air applications, but we do offer Code Signing certs for Adobe Air from our
>>> website:
>>> 
>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>> 
>>> Would this work for you?  Please let us know if you have any questions.
>>> 
>>> Thanks,
>>> 
>>> Rich
>>> 
>>> 
>> Rich,
>> 
>> This would work perfectly fine for us.
>> 
>> 
>> Om,
>> 
>> And now the question is for the Apache Infrastructure team. Assuming that
>> an apache.org certificate for signing AIr applications is purchased The
>> ASF how will it be handled? And that is the other thread.
>> 
>> Thanks,
>> Dave
>> 
>> 
> Do we know if there has been any work/discussion on this?  We are preparing
> our installer app for release and valid certificate would be very good to
> have.
> 
> What should I (or infra) do to get this certificate approved and purchased
> for us by us?  How can I help speed up this process?
> 
> Thanks,
> Om


Om, 

We, infra, are still waiting for someone to come to us with a proposal on how to deploy this within the bounds we have laid out several times both here and in Jira. We won't just randomly set something up. 

Unto, we are receipt of such, and we have had a chance to review the same we won't be purchasing any such certificate, and no project should be going direct to any supplier to do the same. There are very real concerns we have and we want to see them fully addressed before proceeding. 

To be clear, this needs to stop at this juncture until we ae happy to proceed. If you require this for delivery of a binary installer, can I suggest that you and your project, perhaps in conjunction with another projects come up with this plan we have asked for.