You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2017/09/13 18:09:00 UTC
Code signing service restored
Hi,
FYI but mainly for anyone doing a release, the code signing service is
available again. The account has been renewed for another year and we
(Tomcat) have enough credits to keep us going for a while. I'll keep an
eye on our credit usage and get our allocation increased if we need more.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Code signing service restored
Posted by Mark Thomas <ma...@apache.org>.
On 15/09/17 16:40, Christopher Schultz wrote:
> Mark,
>
> On 9/13/17 2:09 PM, Mark Thomas wrote:
>> FYI but mainly for anyone doing a release, the code signing service is
>> available again. The account has been renewed for another year and we
>> (Tomcat) have enough credits to keep us going for a while. I'll keep an
>> eye on our credit usage and get our allocation increased if we need more.
>
> IIRC, Symantec was the vendor providing code-signing certificates.
Correct.
> Are those certificates impacted by the impending dis-trusting of
> Symantec-issued TLS certificates?
>
> DigiCert is purchasing (has purchased?) Symantec's various CAs, and that
> also might have an effect on (a) the trust of our
> certificates/signatures and (b) the future of the code-signing
> arrangement with the new vendor.
I haven't dug into the detail but my understanding is that the code
signing service will transition to DigiCert.
I'm expecting minimal impact for us. Particularly since no-one has even
questioned the fact that the last handful of Windows Installer releases
have been unsigned.
> I suspect DigiCert will be happy to continue to provide ASF with
> low/no-cost code-signing credits, but it might be nice to have that
> clarified sooner rather than later.
As one of the ASF admins of the code signing service I've had a couple
of emails assuring of a smooth transition so I'm fairly confident.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Code signing service restored
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 9/13/17 2:09 PM, Mark Thomas wrote:
> FYI but mainly for anyone doing a release, the code signing service is
> available again. The account has been renewed for another year and we
> (Tomcat) have enough credits to keep us going for a while. I'll keep an
> eye on our credit usage and get our allocation increased if we need more.
IIRC, Symantec was the vendor providing code-signing certificates.
Are those certificates impacted by the impending dis-trusting of
Symantec-issued TLS certificates?
DigiCert is purchasing (has purchased?) Symantec's various CAs, and that
also might have an effect on (a) the trust of our
certificates/signatures and (b) the future of the code-signing
arrangement with the new vendor.
I suspect DigiCert will be happy to continue to provide ASF with
low/no-cost code-signing credits, but it might be nice to have that
clarified sooner rather than later.
Thanks,
-chris