You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Mark Thomas <ma...@apache.org> on 2014/10/14 21:07:56 UTC
[OFFLIST] Re: Code signing
On 10/10/2014 02:37, Raymond DeCampo wrote:
> Mark,
>
> I've got the code running in a Maven plug in but I am running into an
> authentication error when the service is called. I checked out the Tomcat
> build scripts but they just have placeholders for the authentication
> information.
private static String USERNAME = "AOOAPI";
private static String PASSWORD = "Demo1234!";
private static String PARTNERCODE = "4615797APA95264";
Enjoy!
Mark
>
> Also, I thought I should verify some assumptions I was making. First,
> since this is a Maven plug-in, I assumed we were interested in signing the
> archive built by the Maven script. Is this what we want or are we signing
> an arbitrary set of files?
>
> Second, and this kind of goes with the first assumption, I assumed we were
> signing JAR files and not executables. In this case I need to know how to
> vary the parameters to the signing service. E.g., I imagine the
> signingServiceName would be different from "Microsoft Signing".
>
> Thanks,
> Ray
>
> On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 23/09/2014 20:45, Raymond DeCampo wrote:
>>> I'll see what I can glean from the WSDL
>>
>> That and the Tomcat code should be enough for you to figure things out.
>>
>> I discovered today that the production service and the test service have
>> some minor differences. The production service needs files to have
>> extensions else it fails to sign them. So, rather than naming the files
>> 0,1,2 etc. the Tomcat code now retains the original file extension so
>> the names are 0.exe,1.dll, etc.
>>
>>> I have joined the mailing list
>>
>> Excellent.
>>
>> Mark
>>
>>
>>>
>>> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 23/09/2014 15:20, Mark Thomas wrote:
>>>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>>>> Mark,
>>>>>>
>>>>>> Do you have any documentation on the web service that is being used to
>>>>>> sign the code?
>>>>>
>>>>> I do, but it was under an NDA. Symantec were going to relax that so we
>>>>> could share the API information. Let me check where we are with that.
>>>>
>>>> Hmm. Symantec are happy that any code that interacts with the API is
>>>> public but they haven't said we can share the API doc (to be fair I
>>>> haven't asked).
>>>>
>>>> For now, the WSDL is public and can be obtained here:
>>>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>>>
>>>> Is that enough or do you need more? If you have specific questions I can
>>>> answer them.
>>>>
>>>>> Also, I'm moving this discussion to the appropriate list -
>>>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>>>
>>>> Let me know when you do, and I'll stop cc'ing you.
>>>>
>>>> Cheers,
>>>>
>>>> Mark
>>>>
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Ray
>>>>>>
>>>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>>>> <ma...@apache.org>> wrote:
>>>>>>
>>>>>> On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>>> > Mark,
>>>>>> >
>>>>>> > I haven't coded a maven plugin before but I am willing to figure
>>>> it out
>>>>>> > as I have been looking for some way to contribute.
>>>>>> >
>>>>>> > Just dump me whatever information/code you have and I will take
>>>> it from
>>>>>> > there. Given you have an ANT plug in already working I don't
>>>> anticipate
>>>>>> > it will be too difficult.
>>>>>>
>>>>>> Thanks for the offer. Am I correct in thinking you aren't an
>> Apache
>>>>>> Committer? Getting you access to the test instance in that case
>>>> might be
>>>>>> a little tricky. We can cross that bridge when we come to it.
>>>>>>
>>>>>> The Ant task is here:
>>>>>>
>>>>
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>>>
>>>>>> It does have an issue in that it loads the Base64 of the zip of of
>>>> the
>>>>>> files to be signed into memory. It would be much better if it was
>>>>>> streamed. If you fancy taking at a look at that first...
>>>>>>
>>>>>> > Although, I did want to ask if ASF has any existing maven
>> plugins
>>>> so I
>>>>>> > can stay consistent with the established style.
>>>>>>
>>>>>> This is going to be an infrastructure tool and we don't have any
>>>> Maven
>>>>>> plugins I am aware of. To be perfectly honest I am far more
>>>> concerned
>>>>>> about getting something working than style.
>>>>>>
>>>>>> We should probably continue this on a list somewhere. Let me
>> figure
>>>> out
>>>>>> which one is best.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>> >
>>>>>> > Thanks,
>>>>>> > Ray
>>>>>> >
>>>>>> >
>>>>>> > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>>>> <ma...@apache.org>
>>>>>> > <mailto:markt@apache.org <ma...@apache.org>>> wrote:
>>>>>> >
>>>>>> > All,
>>>>>> >
>>>>>> > You may be aware that the ASF infra team has been working on
>>>>>> getting a
>>>>>> > code signing service set up.
>>>>>> >
>>>>>> > The test project for this is Apache Tomcat and we are at the
>>>>>> point where
>>>>>> > we are ready to do our first real signing. So why am I
>> writing
>>>>>> to the
>>>>>> > Commons dev list? Daemon.
>>>>>> >
>>>>>> > Tomcat uses Commons Daemon so we'd like to build the signed
>>>> Tomcat
>>>>>> > release with signed Commons Daemon binaries. I have the
>>>>>> signing for the
>>>>>> > Tomcat build automated but the Commons one is manual for now
>>>>>> so there
>>>>>> > are no tools to check in.
>>>>>> >
>>>>>> > The ASF will eventually need a Maven plugin to do signing as
>>>>>> part of the
>>>>>> > build. If anyone would like volunteer (I have a simple Ant
>>>> plug-in
>>>>>> > written) let me know.
>>>>>> >
>>>>>> > Shortly I will be starting a release vote for a signed
>>>> version of
>>>>>> > Commons Daemon 1.0.15. This will be exactly the same as the
>>>>>> binaries we
>>>>>> > have already shipped apart from that the Windows binaries in
>>>> the
>>>>>> > packages will be signed executables. I plan to stage them
>>>>>> alongside the
>>>>>> > existing 1.0.15 binaries rather than replace them.
>> Eventually,
>>>>>> I expect
>>>>>> > the Daemon release process to generate signed binaries.
>>>>>> >
>>>>>> > Any questions, just ask.
>>>>>> >
>>>>>> > Mark
>>>>>> >
>>>>>> >
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>>> <ma...@commons.apache.org>
>>>>>> > <mailto:dev-unsubscribe@commons.apache.org
>>>>>> <ma...@commons.apache.org>>
>>>>>> > For additional commands, e-mail:
>> dev-help@commons.apache.org
>>>> <ma...@commons.apache.org>
>>>>>> > <mailto:dev-help@commons.apache.org
>>>>>> <ma...@commons.apache.org>>
>>>>>> >
>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
Re: [Not! OFFLIST] Re: Code signing
Posted by Mark Thomas <ma...@apache.org>.
On 14/10/2014 20:07, Mark Thomas wrote:
> On 10/10/2014 02:37, Raymond DeCampo wrote:
>> Mark,
>>
>> I've got the code running in a Maven plug in but I am running into an
>> authentication error when the service is called. I checked out the Tomcat
>> build scripts but they just have placeholders for the authentication
>> information.
>
> private static String USERNAME = "AOOAPI";
> private static String PASSWORD = "Demo1234!";
> private static String PARTNERCODE = "4615797APA95264";
And I am idiot.
I'll get Symantec to change those but for now you can use them.
Mark
>
> Enjoy!
>
> Mark
>
>
>>
>> Also, I thought I should verify some assumptions I was making. First,
>> since this is a Maven plug-in, I assumed we were interested in signing the
>> archive built by the Maven script. Is this what we want or are we signing
>> an arbitrary set of files?
>>
>> Second, and this kind of goes with the first assumption, I assumed we were
>> signing JAR files and not executables. In this case I need to know how to
>> vary the parameters to the signing service. E.g., I imagine the
>> signingServiceName would be different from "Microsoft Signing".
>>
>> Thanks,
>> Ray
>>
>> On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 23/09/2014 20:45, Raymond DeCampo wrote:
>>>> I'll see what I can glean from the WSDL
>>>
>>> That and the Tomcat code should be enough for you to figure things out.
>>>
>>> I discovered today that the production service and the test service have
>>> some minor differences. The production service needs files to have
>>> extensions else it fails to sign them. So, rather than naming the files
>>> 0,1,2 etc. the Tomcat code now retains the original file extension so
>>> the names are 0.exe,1.dll, etc.
>>>
>>>> I have joined the mailing list
>>>
>>> Excellent.
>>>
>>> Mark
>>>
>>>
>>>>
>>>> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 23/09/2014 15:20, Mark Thomas wrote:
>>>>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>>>>> Mark,
>>>>>>>
>>>>>>> Do you have any documentation on the web service that is being used to
>>>>>>> sign the code?
>>>>>>
>>>>>> I do, but it was under an NDA. Symantec were going to relax that so we
>>>>>> could share the API information. Let me check where we are with that.
>>>>>
>>>>> Hmm. Symantec are happy that any code that interacts with the API is
>>>>> public but they haven't said we can share the API doc (to be fair I
>>>>> haven't asked).
>>>>>
>>>>> For now, the WSDL is public and can be obtained here:
>>>>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>>>>
>>>>> Is that enough or do you need more? If you have specific questions I can
>>>>> answer them.
>>>>>
>>>>>> Also, I'm moving this discussion to the appropriate list -
>>>>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>>>>
>>>>> Let me know when you do, and I'll stop cc'ing you.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Mark
>>>>>
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Ray
>>>>>>>
>>>>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>>>>> <ma...@apache.org>> wrote:
>>>>>>>
>>>>>>> On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>>>> > Mark,
>>>>>>> >
>>>>>>> > I haven't coded a maven plugin before but I am willing to figure
>>>>> it out
>>>>>>> > as I have been looking for some way to contribute.
>>>>>>> >
>>>>>>> > Just dump me whatever information/code you have and I will take
>>>>> it from
>>>>>>> > there. Given you have an ANT plug in already working I don't
>>>>> anticipate
>>>>>>> > it will be too difficult.
>>>>>>>
>>>>>>> Thanks for the offer. Am I correct in thinking you aren't an
>>> Apache
>>>>>>> Committer? Getting you access to the test instance in that case
>>>>> might be
>>>>>>> a little tricky. We can cross that bridge when we come to it.
>>>>>>>
>>>>>>> The Ant task is here:
>>>>>>>
>>>>>
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>>>>
>>>>>>> It does have an issue in that it loads the Base64 of the zip of of
>>>>> the
>>>>>>> files to be signed into memory. It would be much better if it was
>>>>>>> streamed. If you fancy taking at a look at that first...
>>>>>>>
>>>>>>> > Although, I did want to ask if ASF has any existing maven
>>> plugins
>>>>> so I
>>>>>>> > can stay consistent with the established style.
>>>>>>>
>>>>>>> This is going to be an infrastructure tool and we don't have any
>>>>> Maven
>>>>>>> plugins I am aware of. To be perfectly honest I am far more
>>>>> concerned
>>>>>>> about getting something working than style.
>>>>>>>
>>>>>>> We should probably continue this on a list somewhere. Let me
>>> figure
>>>>> out
>>>>>>> which one is best.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>> >
>>>>>>> > Thanks,
>>>>>>> > Ray
>>>>>>> >
>>>>>>> >
>>>>>>> > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>>>>> <ma...@apache.org>
>>>>>>> > <mailto:markt@apache.org <ma...@apache.org>>> wrote:
>>>>>>> >
>>>>>>> > All,
>>>>>>> >
>>>>>>> > You may be aware that the ASF infra team has been working on
>>>>>>> getting a
>>>>>>> > code signing service set up.
>>>>>>> >
>>>>>>> > The test project for this is Apache Tomcat and we are at the
>>>>>>> point where
>>>>>>> > we are ready to do our first real signing. So why am I
>>> writing
>>>>>>> to the
>>>>>>> > Commons dev list? Daemon.
>>>>>>> >
>>>>>>> > Tomcat uses Commons Daemon so we'd like to build the signed
>>>>> Tomcat
>>>>>>> > release with signed Commons Daemon binaries. I have the
>>>>>>> signing for the
>>>>>>> > Tomcat build automated but the Commons one is manual for now
>>>>>>> so there
>>>>>>> > are no tools to check in.
>>>>>>> >
>>>>>>> > The ASF will eventually need a Maven plugin to do signing as
>>>>>>> part of the
>>>>>>> > build. If anyone would like volunteer (I have a simple Ant
>>>>> plug-in
>>>>>>> > written) let me know.
>>>>>>> >
>>>>>>> > Shortly I will be starting a release vote for a signed
>>>>> version of
>>>>>>> > Commons Daemon 1.0.15. This will be exactly the same as the
>>>>>>> binaries we
>>>>>>> > have already shipped apart from that the Windows binaries in
>>>>> the
>>>>>>> > packages will be signed executables. I plan to stage them
>>>>>>> alongside the
>>>>>>> > existing 1.0.15 binaries rather than replace them.
>>> Eventually,
>>>>>>> I expect
>>>>>>> > the Daemon release process to generate signed binaries.
>>>>>>> >
>>>>>>> > Any questions, just ask.
>>>>>>> >
>>>>>>> > Mark
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>>>> <ma...@commons.apache.org>
>>>>>>> > <mailto:dev-unsubscribe@commons.apache.org
>>>>>>> <ma...@commons.apache.org>>
>>>>>>> > For additional commands, e-mail:
>>> dev-help@commons.apache.org
>>>>> <ma...@commons.apache.org>
>>>>>>> > <mailto:dev-help@commons.apache.org
>>>>>>> <ma...@commons.apache.org>>
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>