Signing releases

[Mark Thomas <ma...@apache.org>]

I've just completed the 8.0.14 release using the new code signing
service. I'll call the vote shortly.

I've also back-ported the change to 7.0.x to pick up the signed versions
of Commons Daemon 1.0.15.

I think we should sign the 7.0.x releases as well but I am leaning
towards doing this manually this time and back-porting the changes to do
this as part of the build script for next release. Thoughts?

On a related note, the Windows uninstaller is not currently signed. The
issue is that NSIS writes it directly to the installer for later
extraction as part of the install process. To sign it we need to be able to:
- get NSIS to write it to disk
- call the signing service (easy)
- get NSIS to write it - as the uninstaller - to the installer archive

The downside is that we'll have to sign the uninstaller and the
installer separately. That means two signing events per release rather
than one. The ASF has a fixed number of signing events and we have to
pay if we want more. I'm sure we'll have enough for 2 per Tomcat release
but just something to keep in mind.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org