Re: x509 certificates for jarsigner to sign maven repos release jar file artifacts

[Greg Trasuk <tr...@trasuk.com>]

(Pulling this over to river-dev, since it’s not really a members@ question - please reply there)

Peter:

I don’t recall seeing any requests for signed jars - could you refresh my memory?

For downloadable jars, that’s what the md5 mechanism is for (although I have to admit I’ve never used it).   It’s supposed to make sure that the signature matches what the exporting party says it is.

As far as downloading jars from Maven Central, they only go in to Maven Central if they’re PGP-signed.  If you have a look in the the svn repo (it’s in the 2.2 branch and the qa_refactor branch, but the 2.2. branch is probably more up-to-date), you’ll see ‘roll-release.sh’ which generates the signatures on the release artifacts, and ‘poms/deploy_river.groovy’, which uses Maven to deploy signed artifacts to the Apache staging repository, from which we eventually release to Maven Central.

Cheers,

Greg Trasuk

> On Dec 30, 2015, at 5:38 AM, Peter Firmstone <pe...@zeus.net.au> wrote:
> 
> Thanks Nic,
> 
> We've had one user request we sign Maven artifacts.  
> 
> River 3.0 isn't quite internet ready, in that there's no support for ipv6 discovery at this stage and java serialization is insecure, and River's security is based on the assumption that java serialization and the sandbox is secure.
> 
> Current message digests for proxy codebases are based on md5 and sha1 based.  Signed jar files would provide a more secure alternative, when combined with DownloadPermission, however users could sign our proxy codebases themselves.
> 
> I have a prototype that solves java serialization and lookup service security issues, similar to http input validation and I'm working on ipv6 discovery.
> 
> We could delay signing artifacts until a following release.
> 
> Regards,
> 
> Peter.
> 
> Sent from my Samsung device.
>  
> ---- Original message ----
> From: Niclas Hedhman <he...@gmail.com>
> Sent: 30/12/2015 11:42:36 am
> To: Apache Members <me...@apache.org>
> Cc: Peter Firmstone <pe...@zeus.net.au>
> Subject: Re: x509 certificates for jarsigner to sign maven repos release jar file artifacts
> 
> I don't think Peter needs this, but perhaps someone else reading;
> 
> When Uwe mentions "don't use it willy-nilly, because it costs ASF money", it is important to also point out "do whatever you can to make your projects more secure, even if it costs ASF a bit of money".
> 
> We spend quite a lot on keeping our systems running to serve the public, but our primary purpose is to produce software, and we should try to minimize the security risks associated with that software to the greatest extent possible. So from my PoV, if it takes 10s of thousands of dollars to do this, it should still be done. And at some point, we could re-negotiate a ceiling price with the supplier.
> 
> Cheers
> Niclas
> 
> On Dec 30, 2015 09:33, "Uwe Schindler" <uw...@thetaphi.de> wrote:
> Hi,
> 
> Code signing is supported by Apache infrastructure. But it should only be used where needed, not just for any JAR. Use cases are webstart applications or other stuff using java's security manager that need to validate code authenticity, or signing Windows exe files for starting services. Because it costs money.
> 
> https://blogs.apache.org/infra/entry/code_signing_service_now_available
> 
> Uwe
> 
> Am 30. Dezember 2015 00:34:05 MEZ, schrieb Peter Firmstone <pe...@zeus.net.au>:
>  The current process for releases is to generate signatures for artifacts using gnupgp and pgp developer certificates.
> 
> For jar files that will be uploaded to Maven, is there an apache process to sign jar file release artifacts using X509 certificates?
> 
> Is there a certificate authority that will sign a certificate for an apache project?  Or is it possible the apache.org website certificate could be used to sign jar files?
> 
> Thanks,
> 
> Peter.
> 
> Sent from my Samsung device.
>  
> 
> --
> Uwe Schindler
> H.-H.-Meier-Allee 63, 28213 Bremen
> http://www.thetaphi.de
>