You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4j-dev@logging.apache.org by Ralph Goers <ra...@dslextreme.com> on 2014/08/30 04:51:03 UTC
Re: [5/7] git commit: Note correct signing key for distribution.
What is the story with the ASF code signing key. Matt, I noticed that you added Log4j 2 to the Jira issue.
Ralph
On Aug 29, 2014, at 7:31 PM, mattsicker@apache.org wrote:
> Note correct signing key for distribution.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
> Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855
> Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855
> Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855
>
> Branch: refs/heads/master
> Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e
> Parents: a2c18b6
> Author: Matt Sicker <ma...@apache.org>
> Authored: Fri Aug 29 18:56:46 2014 -0500
> Committer: Matt Sicker <ma...@apache.org>
> Committed: Fri Aug 29 18:56:46 2014 -0500
>
> ----------------------------------------------------------------------
> src/site/apt/download.apt.vm | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm
> ----------------------------------------------------------------------
> diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm
> index dea8abc..e4b2f26 100644
> --- a/src/site/apt/download.apt.vm
> +++ b/src/site/apt/download.apt.vm
> @@ -54,7 +54,8 @@ Download Apache Log4j 2
> % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc
> ---
>
> - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker (FA1C814D)
>
> Alternatively, you can verify the MD5 signature on the files. A unix program called md5 or md5sum is included
> in many unix distributions.
> @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar
> log4j-core-${Log4jReleaseVersion}.jar
> ---
>
> - You can do this from the command line or a manifest file.
> \ No newline at end of file
> + You can do this from the command line or a manifest file.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org
Re: [5/7] git commit: Note correct signing key for distribution.
Posted by Matt Sicker <bo...@gmail.com>.
Well it'd be a separate part of signing release artifacts. It would be the
built-in JAR signing rather than the GPG signing we currently do. I think
you can use both.
On 30 August 2014 11:04, Scott Deboy <sc...@gmail.com> wrote:
> Chainsaw is actually the immediate need for the code signing cert.
>
> Scott
> On Aug 29, 2014 9:19 PM, "Ralph Goers" <ra...@dslextreme.com>
> wrote:
>
>> Why can’t it be used to sign release artifacts?
>>
>> Ralph
>>
>> On Aug 29, 2014, at 7:55 PM, Matt Sicker <bo...@gmail.com> wrote:
>>
>> Oh that's definitely a different signing key. That's supposed to make it
>> possible for Log4j to be embedded in Java WebStart and Applet programs that
>> all rely on code signing for general security. I believe the idea is that
>> the code can be signed by some build server during release to prevent
>> leaking our key.
>>
>>
>> On 29 August 2014 21:51, Ralph Goers <ra...@dslextreme.com> wrote:
>>
>>> What is the story with the ASF code signing key. Matt, I noticed that
>>> you added Log4j 2 to the Jira issue.
>>>
>>> Ralph
>>>
>>> On Aug 29, 2014, at 7:31 PM, mattsicker@apache.org wrote:
>>>
>>> > Note correct signing key for distribution.
>>> >
>>> >
>>> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
>>> > Commit:
>>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855
>>> > Tree:
>>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855
>>> > Diff:
>>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855
>>> >
>>> > Branch: refs/heads/master
>>> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e
>>> > Parents: a2c18b6
>>> > Author: Matt Sicker <ma...@apache.org>
>>> > Authored: Fri Aug 29 18:56:46 2014 -0500
>>> > Committer: Matt Sicker <ma...@apache.org>
>>> > Committed: Fri Aug 29 18:56:46 2014 -0500
>>> >
>>> > ----------------------------------------------------------------------
>>> > src/site/apt/download.apt.vm | 5 +++--
>>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>>> > ----------------------------------------------------------------------
>>> >
>>> >
>>> >
>>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm
>>> > ----------------------------------------------------------------------
>>> > diff --git a/src/site/apt/download.apt.vm
>>> b/src/site/apt/download.apt.vm
>>> > index dea8abc..e4b2f26 100644
>>> > --- a/src/site/apt/download.apt.vm
>>> > +++ b/src/site/apt/download.apt.vm
>>> > @@ -54,7 +54,8 @@ Download Apache Log4j 2
>>> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc
>>> > ---
>>> >
>>> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
>>> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
>>> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker
>>> (FA1C814D)
>>> >
>>> > Alternatively, you can verify the MD5 signature on the files. A
>>> unix program called md5 or md5sum is included
>>> > in many unix distributions.
>>> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar
>>> > log4j-core-${Log4jReleaseVersion}.jar
>>> > ---
>>> >
>>> > - You can do this from the command line or a manifest file.
>>> > \ No newline at end of file
>>> > + You can do this from the command line or a manifest file.
>>> >
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>>> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>>>
>>>
>>
>>
>> --
>> Matt Sicker <bo...@gmail.com>
>>
>>
>>
--
Matt Sicker <bo...@gmail.com>
Re: [5/7] git commit: Note correct signing key for distribution.
Posted by Scott Deboy <sc...@gmail.com>.
Chainsaw is actually the immediate need for the code signing cert.
Scott
On Aug 29, 2014 9:19 PM, "Ralph Goers" <ra...@dslextreme.com> wrote:
> Why can’t it be used to sign release artifacts?
>
> Ralph
>
> On Aug 29, 2014, at 7:55 PM, Matt Sicker <bo...@gmail.com> wrote:
>
> Oh that's definitely a different signing key. That's supposed to make it
> possible for Log4j to be embedded in Java WebStart and Applet programs that
> all rely on code signing for general security. I believe the idea is that
> the code can be signed by some build server during release to prevent
> leaking our key.
>
>
> On 29 August 2014 21:51, Ralph Goers <ra...@dslextreme.com> wrote:
>
>> What is the story with the ASF code signing key. Matt, I noticed that you
>> added Log4j 2 to the Jira issue.
>>
>> Ralph
>>
>> On Aug 29, 2014, at 7:31 PM, mattsicker@apache.org wrote:
>>
>> > Note correct signing key for distribution.
>> >
>> >
>> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
>> > Commit:
>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855
>> > Tree:
>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855
>> > Diff:
>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855
>> >
>> > Branch: refs/heads/master
>> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e
>> > Parents: a2c18b6
>> > Author: Matt Sicker <ma...@apache.org>
>> > Authored: Fri Aug 29 18:56:46 2014 -0500
>> > Committer: Matt Sicker <ma...@apache.org>
>> > Committed: Fri Aug 29 18:56:46 2014 -0500
>> >
>> > ----------------------------------------------------------------------
>> > src/site/apt/download.apt.vm | 5 +++--
>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>> > ----------------------------------------------------------------------
>> >
>> >
>> >
>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm
>> > ----------------------------------------------------------------------
>> > diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm
>> > index dea8abc..e4b2f26 100644
>> > --- a/src/site/apt/download.apt.vm
>> > +++ b/src/site/apt/download.apt.vm
>> > @@ -54,7 +54,8 @@ Download Apache Log4j 2
>> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc
>> > ---
>> >
>> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
>> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
>> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker
>> (FA1C814D)
>> >
>> > Alternatively, you can verify the MD5 signature on the files. A
>> unix program called md5 or md5sum is included
>> > in many unix distributions.
>> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar
>> > log4j-core-${Log4jReleaseVersion}.jar
>> > ---
>> >
>> > - You can do this from the command line or a manifest file.
>> > \ No newline at end of file
>> > + You can do this from the command line or a manifest file.
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>>
>>
>
>
> --
> Matt Sicker <bo...@gmail.com>
>
>
>
Re: [5/7] git commit: Note correct signing key for distribution.
Posted by Ralph Goers <ra...@dslextreme.com>.
Why can’t it be used to sign release artifacts?
Ralph
On Aug 29, 2014, at 7:55 PM, Matt Sicker <bo...@gmail.com> wrote:
> Oh that's definitely a different signing key. That's supposed to make it possible for Log4j to be embedded in Java WebStart and Applet programs that all rely on code signing for general security. I believe the idea is that the code can be signed by some build server during release to prevent leaking our key.
>
>
> On 29 August 2014 21:51, Ralph Goers <ra...@dslextreme.com> wrote:
> What is the story with the ASF code signing key. Matt, I noticed that you added Log4j 2 to the Jira issue.
>
> Ralph
>
> On Aug 29, 2014, at 7:31 PM, mattsicker@apache.org wrote:
>
> > Note correct signing key for distribution.
> >
> >
> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
> > Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855
> > Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855
> > Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855
> >
> > Branch: refs/heads/master
> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e
> > Parents: a2c18b6
> > Author: Matt Sicker <ma...@apache.org>
> > Authored: Fri Aug 29 18:56:46 2014 -0500
> > Committer: Matt Sicker <ma...@apache.org>
> > Committed: Fri Aug 29 18:56:46 2014 -0500
> >
> > ----------------------------------------------------------------------
> > src/site/apt/download.apt.vm | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> > ----------------------------------------------------------------------
> >
> >
> > http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm
> > ----------------------------------------------------------------------
> > diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm
> > index dea8abc..e4b2f26 100644
> > --- a/src/site/apt/download.apt.vm
> > +++ b/src/site/apt/download.apt.vm
> > @@ -54,7 +54,8 @@ Download Apache Log4j 2
> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc
> > ---
> >
> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker (FA1C814D)
> >
> > Alternatively, you can verify the MD5 signature on the files. A unix program called md5 or md5sum is included
> > in many unix distributions.
> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar
> > log4j-core-${Log4jReleaseVersion}.jar
> > ---
> >
> > - You can do this from the command line or a manifest file.
> > \ No newline at end of file
> > + You can do this from the command line or a manifest file.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>
>
>
>
> --
> Matt Sicker <bo...@gmail.com>
Re: [5/7] git commit: Note correct signing key for distribution.
Posted by Matt Sicker <bo...@gmail.com>.
Oh that's definitely a different signing key. That's supposed to make it
possible for Log4j to be embedded in Java WebStart and Applet programs that
all rely on code signing for general security. I believe the idea is that
the code can be signed by some build server during release to prevent
leaking our key.
On 29 August 2014 21:51, Ralph Goers <ra...@dslextreme.com> wrote:
> What is the story with the ASF code signing key. Matt, I noticed that you
> added Log4j 2 to the Jira issue.
>
> Ralph
>
> On Aug 29, 2014, at 7:31 PM, mattsicker@apache.org wrote:
>
> > Note correct signing key for distribution.
> >
> >
> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
> > Commit:
> http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855
> > Tree:
> http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855
> > Diff:
> http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855
> >
> > Branch: refs/heads/master
> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e
> > Parents: a2c18b6
> > Author: Matt Sicker <ma...@apache.org>
> > Authored: Fri Aug 29 18:56:46 2014 -0500
> > Committer: Matt Sicker <ma...@apache.org>
> > Committed: Fri Aug 29 18:56:46 2014 -0500
> >
> > ----------------------------------------------------------------------
> > src/site/apt/download.apt.vm | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> > ----------------------------------------------------------------------
> >
> >
> >
> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm
> > ----------------------------------------------------------------------
> > diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm
> > index dea8abc..e4b2f26 100644
> > --- a/src/site/apt/download.apt.vm
> > +++ b/src/site/apt/download.apt.vm
> > @@ -54,7 +54,8 @@ Download Apache Log4j 2
> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc
> > ---
> >
> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA
> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker
> (FA1C814D)
> >
> > Alternatively, you can verify the MD5 signature on the files. A unix
> program called md5 or md5sum is included
> > in many unix distributions.
> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar
> > log4j-core-${Log4jReleaseVersion}.jar
> > ---
> >
> > - You can do this from the command line or a manifest file.
> > \ No newline at end of file
> > + You can do this from the command line or a manifest file.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>
>
--
Matt Sicker <bo...@gmail.com>