Java code signing cert needed

[Scott Deboy <sc...@gmail.com>]

Now that extras is released (with a re-release imminent), it's time to
turn toward a release of Chainsaw.

Chainsaw can be ran via WebStart, which is the easiest way for people
to start the app - click a link, accept the prompt, and Chainsaw is
running.  Chainsaw's 'current' release is self-signed..a long time
ago.

Java 7U51, to be released January 14, will refuse to load code signed
by a self-signed certificate.

I requested a Java code signing certificate over two years ago via
https://issues.apache.org/jira/browse/INFRA-3991.  It was promptly
closed, and while there was a Wiki page created, nothing has happened
since.

I've reopened the Jira issue, but I think if Infra closes it again or
doesn't offer to help, it's probably time to escalate this.  Is Sam
Ruby still the Chair of Infra?  Should we talk to him?  Send something
to the board?

Two years is way too long to wait for Infra to be responsive...  Other
folks (OpenOffice) also require code signing but probably have more
complicated requirements.  Our Chainsaw build is simple, and Java code
signing is driven by the build.  Infra just has to define their
process for managing the certs and keys.

Let me know what you folks think the appropriate next step is.

Thanks,

Scott

Re: Java code signing cert needed

[Scott Deboy <sc...@gmail.com>]

Thanks Christian,

Yes, let's wait a few days and see who responds to the mailing list
thread or the Jira issue.

Infra already manages SSL certificates if I recall, so the code
signing 'cert management' part shouldn't be too bad..I think the
bigger issue for Infra is working through a process that allows them
to confirm that what they are signing is the same thing that was voted
on.

I don't recall if there are such a thing as 'child' code signing
certificates...I think WRowe replied on that mailing list thing
something about that not being supported.  But I think they may have a
couple of choices: a code signing cert per PMC, or an Apache-wide code
signing cert.

Either way, I think the bits are there in the Chainsaw build to
support whatever automation they want to put around their signing
process.  Hopefully the Symantec code signing service will be pursued
and this will move quickly.

Scott


On 10/21/13, Christian Grobmeier <gr...@gmail.com> wrote:
> Hi Scott,
>
> I just read through the discussion and I feel you have not got a reply
> which we can be satisfied with.
> If somebody would have said: it's not possible because of $x, ok. But I
> could not find an information
> why code signing is not possible on Jira nor did I find any information
> on the wiki page.
>
> Also I cannot understand why people are saying you are flaming. I feel
> this was/is a valid request
> which was not handled.
>
> I just added a comment on the Jira to back you.
>
> However my first idea was to wait if we receive an answer the next days.
>
> If we do not receive an answer, we can ask Sam in private first if he
> can advise us what to do.
>
> After all I would like to put it into the next board report because this
> issue blocks us. At least
> we need an answer if it works in general or if it is not supported at
> all.
>
> As I have understood from your mail it seems that infra can have some
> kind of root certificate
> of which we could have a child certificate to sign our software. It
> seems to be similar of what
> I have heard with .net applications.
>
> Please let me know if my ideas work for you or if you would like to make
> it somehow different.
>
>
>
> On 21 Oct 2013, at 2:46, Scott Deboy wrote:
>
>> Now that extras is released (with a re-release imminent), it's time to
>> turn toward a release of Chainsaw.
>>
>> Chainsaw can be ran via WebStart, which is the easiest way for people
>> to start the app - click a link, accept the prompt, and Chainsaw is
>> running.  Chainsaw's 'current' release is self-signed..a long time
>> ago.
>>
>> Java 7U51, to be released January 14, will refuse to load code signed
>> by a self-signed certificate.
>>
>> I requested a Java code signing certificate over two years ago via
>> https://issues.apache.org/jira/browse/INFRA-3991.  It was promptly
>> closed, and while there was a Wiki page created, nothing has happened
>> since.
>>
>> I've reopened the Jira issue, but I think if Infra closes it again or
>> doesn't offer to help, it's probably time to escalate this.  Is Sam
>> Ruby still the Chair of Infra?  Should we talk to him?  Send something
>> to the board?
>>
>> Two years is way too long to wait for Infra to be responsive...  Other
>> folks (OpenOffice) also require code signing but probably have more
>> complicated requirements.  Our Chainsaw build is simple, and Java code
>> signing is driven by the build.  Infra just has to define their
>> process for managing the certs and keys.
>>
>> Let me know what you folks think the appropriate next step is.
>>
>> Thanks,
>>
>> Scott
>
>
> ---
> http://www.grobmeier.de
> @grobmeier
> GPG: 0xA5CC90DB
>

Re: Java code signing cert needed

[Christian Grobmeier <gr...@gmail.com>]

Hi Scott,

I just read through the discussion and I feel you have not got a reply 
which we can be satisfied with.
If somebody would have said: it's not possible because of $x, ok. But I 
could not find an information
why code signing is not possible on Jira nor did I find any information 
on the wiki page.

Also I cannot understand why people are saying you are flaming. I feel 
this was/is a valid request
which was not handled.

I just added a comment on the Jira to back you.

However my first idea was to wait if we receive an answer the next days.

If we do not receive an answer, we can ask Sam in private first if he 
can advise us what to do.

After all I would like to put it into the next board report because this 
issue blocks us. At least
we need an answer if it works in general or if it is not supported at 
all.

As I have understood from your mail it seems that infra can have some 
kind of root certificate
of which we could have a child certificate to sign our software. It 
seems to be similar of what
I have heard with .net applications.

Please let me know if my ideas work for you or if you would like to make 
it somehow different.



On 21 Oct 2013, at 2:46, Scott Deboy wrote:

> Now that extras is released (with a re-release imminent), it's time to
> turn toward a release of Chainsaw.
>
> Chainsaw can be ran via WebStart, which is the easiest way for people
> to start the app - click a link, accept the prompt, and Chainsaw is
> running.  Chainsaw's 'current' release is self-signed..a long time
> ago.
>
> Java 7U51, to be released January 14, will refuse to load code signed
> by a self-signed certificate.
>
> I requested a Java code signing certificate over two years ago via
> https://issues.apache.org/jira/browse/INFRA-3991.  It was promptly
> closed, and while there was a Wiki page created, nothing has happened
> since.
>
> I've reopened the Jira issue, but I think if Infra closes it again or
> doesn't offer to help, it's probably time to escalate this.  Is Sam
> Ruby still the Chair of Infra?  Should we talk to him?  Send something
> to the board?
>
> Two years is way too long to wait for Infra to be responsive...  Other
> folks (OpenOffice) also require code signing but probably have more
> complicated requirements.  Our Chainsaw build is simple, and Java code
> signing is driven by the build.  Infra just has to define their
> process for managing the certs and keys.
>
> Let me know what you folks think the appropriate next step is.
>
> Thanks,
>
> Scott


---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB