You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Mark Thomas (JIRA)" <ji...@apache.org> on 2014/06/26 15:54:26 UTC
[jira] [Commented] (INFRA-3991) Request for code signing
certificate
[ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14044664#comment-14044664 ]
Mark Thomas commented on INFRA-3991:
------------------------------------
I been somewhat distracted with other work for a while but have been able to come back to this this week and hope to reach a resolution fairly shortly.
The Web based UI looks to meet our needs. Ideally, some customisation will be required so it uses ASF terminology but in the worst case we can provide documentation to deal with that.
We will need to work with Symantec on exactly how they are going to validate new accounts. For release managers, we want it to be as simple as you have an @apache.org address, you can have a user account. The PMC process may require some manual infra steps but given the number of PMCs that should be manageable.
I am currently looking at the SOAP API to ensure that we can integrate it with our build processes (we don't want signing to have to be a manual process). I have a basic client created for testing and a stubbed out custom Ant Task in the Tomcat build process for signing. As soon as I get some credentials for the SOAP API I'll start bringing these two bits together.
> Request for code signing certificate
> ------------------------------------
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Reporter: Scott Deboy
> Assignee: Mark Thomas
>
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message was sent by Atlassian JIRA
(v6.2#6252)