[MENTOR] InstallApacheFlex AIR app related questions

[Om <bi...@gmail.com>]

(Carol/Alex, please free to jump in as well)

This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you
download a binary file.
For this discussion, the InstallApacheFlex AIR app = 'Installer'

1.  Should the installer be signed in the same way as the Apache Flex SDK
binary is signed?  The process for signing AIR apps is described here
[1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
How do we do this in the Apache way?

2.  The installer downloads the binary distribution of the Apache Flex
sdk.  Should the installer programatically verify the downloaded binary
file's signature before uncompressing it?

3.  I see that mirrors are preferred over downloading directly from Apache
servers.  Is there a standard list of mirror locations that I can access
from somewhere?  I think I will need to modify the installer to dynamically
select a mirror for downloading from, right?

[1]
http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html

Thanks,
Om

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Dave Fisher <da...@comcast.net>]

On Jul 17, 2012, at 8:18 PM, Justin Mclean wrote:

> Hi,
> 
>> The recommendation is to sign this binary convenience package in the same way as the binary packages are signed - as pgp detached signature. You can follow the digital signing discussions on infrastructure-dev in either the archives or by joining the list.
> 
> As AIR app include their own signing process wouldn't it be simpler to just sign the application once rather than twice? If we only sign the package as above we may want to consider the warning message (basically states that the application is from an unknown and untrusted source) that is shown when an AIR app is installed for the first time - the normal Apache signing process won't change this warning.

Totally correct. The trouble is that The ASF is just determining whether and how it will provide signing services with apache.org credentials to projects. This is happening slowly on infrastructure-dev.

This project will need to instruct users on how to check a PGP signature for the source and binary release artifacts on the donwload page so it is not too much more to also ask that they check this artifact if they use it.

(Is someone working on the download page?)

(Totally agree that a digital signing certificate is a technically better solution.)

You could ask general@i.a.o about third party signing of this artifact and what that should mean for where it should be hosted.

Regards,
Dave

> 
> Thanks,
> Justin

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> The recommendation is to sign this binary convenience package in the same way as the binary packages are signed - as pgp detached signature. You can follow the digital signing discussions on infrastructure-dev in either the archives or by joining the list.

As AIR app include their own signing process wouldn't it be simpler to just sign the application once rather than twice? If we only sign the package as above we may want to consider the warning message (basically states that the application is from an unknown and untrusted source) that is shown when an AIR app is installed for the first time - the normal Apache signing process won't change this warning.

Thanks,
Justin

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Dave Fisher <da...@comcast.net>]

On Jul 16, 2012, at 4:55 PM, Dave Fisher wrote:

> 
> On Jul 16, 2012, at 4:19 PM, Om wrote:
> 
>> (Carol/Alex, please free to jump in as well)
>> 
>> This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you
>> download a binary file.
>> For this discussion, the InstallApacheFlex AIR app = 'Installer'
>> 
>> 1.  Should the installer be signed in the same way as the Apache Flex SDK
>> binary is signed?  The process for signing AIR apps is described here
>> [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
>> How do we do this in the Apache way?
> 
> There is no established way to do this at this time. But that does not mean that these needs are not being discussed. The proper way to proceed is to subscribe to infrastructure-dev@apache.org (a private list)

Sorry not a private list. The apache public lists are archived here:

http://mail-archives.apache.org/mod_mbox/

Sorry about my mistake. At least it was in the acceptable direction. This community does understand how to avoid private discussions which should be avoided and limited to personnel / explicitly private matters.

> and then send an email with the subject: "Apache Flex: Digitally Signing Air Applications" and include this information. This path won't be quick, but Flex is not alone, other projects like OpenOffice are asking a similar question. The likely process will involve a buildbot under the control of Apache Infrastructure - this will involve an Apache.org certificate and the keys will be very closely held. Project specific certs are one possibility.

The recommendation is to sign this binary convenience package in the same way as the binary packages are signed - as pgp detached signature. You can follow the digital signing discussions on infrastructure-dev in either the archives or by joining the list.

Regards,
Dave
> 
> Are there any dependencies to building this AIR app beyond those for Apache Flex?
> 
> You could get a simpler answer from infra-dev than I think...
> 
>> 
>> 2.  The installer downloads the binary distribution of the Apache Flex
>> sdk.  Should the installer programatically verify the downloaded binary
>> file's signature before uncompressing it?
> 
> That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good idea) it must be from a different URL than the Binary.
> 
>> 
>> 3.  I see that mirrors are preferred over downloading directly from Apache
>> servers.  Is there a standard list of mirror locations that I can access
>> from somewhere?  I think I will need to modify the installer to dynamically
>> select a mirror for downloading from, right?
> 
> Yes. Take a look at http://incubator.apache.org/odftoolkit/downloads.html
> 
> Note the use of closer.cgi - this helps select an appropriate mirror from the Apache Mirror network.
> 
> With the appropriate parameters you cause it return the url. This will hide the details of the Apache Mirror network allowing the mirror operators to make whatever changes are needed as operators are added and removed.
> 
> Regards,
> Dave
> 
>> 
>> [1]
>> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>> 
>> Thanks,
>> Om
> 

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Shannon Hicks <sh...@iotashan.com>]

I thought that was replaced by as3corelib?

https://github.com/mikechambers/as3corelib/tree/master/src/com/adobe/crypto

Shan

On Jul 16, 2012, at 9:19 PM, Cole Ferrier <co...@coleferrier.com> wrote:

> From a crypto algorithm support, you might want to take a look at:
> 
> http://code.google.com/p/as3crypto/
> 
> project lacks development progress and support but in the past I've used
> the library when I've needed one of the algorithms it supports.
> 
> Cole
> 
> On Mon, Jul 16, 2012 at 6:51 PM, Dave Fisher <da...@comcast.net> wrote:
> 
>> 
>> On Jul 16, 2012, at 6:22 PM, Justin Mclean wrote:
>> 
>>> Hi,
>>> 
>>>>> 2.  The installer downloads the binary distribution of the Apache Flex
>>>>> sdk.  Should the installer programatically verify the downloaded binary
>>>>> file's signature before uncompressing it?
>>>> 
>>>> That is a good idea. If you retrieve a KEYS file (and I'm not sure if
>> that is a good idea) it must be from a different URL than the Binary.
>>> 
>>> Initially would a simple MD5/SHA1 hash check be enough?
>> 
>> Yes.
>> 
>>> Not sure it's straight forward to check digital signatures in Flex/AS.
>> Anyone have experience with this?
>> 
>> Let's see what digital signature support eventually comes out of Infra.
>> 
>> And yes it would be interesting to know what signature support there is in
>> FlashPlayer and/or Flex SDK.
>> 
>> Regards,
>> Dave
>> 
>>> 
>>> Thanks,
>>> Justin
>> 
>> 

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Cole Ferrier <co...@coleferrier.com>]

>From a crypto algorithm support, you might want to take a look at:

http://code.google.com/p/as3crypto/

project lacks development progress and support but in the past I've used
the library when I've needed one of the algorithms it supports.

Cole

On Mon, Jul 16, 2012 at 6:51 PM, Dave Fisher <da...@comcast.net> wrote:

>
> On Jul 16, 2012, at 6:22 PM, Justin Mclean wrote:
>
> > Hi,
> >
> >>> 2.  The installer downloads the binary distribution of the Apache Flex
> >>> sdk.  Should the installer programatically verify the downloaded binary
> >>> file's signature before uncompressing it?
> >>
> >> That is a good idea. If you retrieve a KEYS file (and I'm not sure if
> that is a good idea) it must be from a different URL than the Binary.
> >
> > Initially would a simple MD5/SHA1 hash check be enough?
>
> Yes.
>
> > Not sure it's straight forward to check digital signatures in Flex/AS.
> Anyone have experience with this?
>
> Let's see what digital signature support eventually comes out of Infra.
>
> And yes it would be interesting to know what signature support there is in
> FlashPlayer and/or Flex SDK.
>
> Regards,
> Dave
>
> >
> > Thanks,
> > Justin
>
>

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Dave Fisher <da...@comcast.net>]

On Jul 16, 2012, at 6:22 PM, Justin Mclean wrote:

> Hi,
> 
>>> 2.  The installer downloads the binary distribution of the Apache Flex
>>> sdk.  Should the installer programatically verify the downloaded binary
>>> file's signature before uncompressing it?
>> 
>> That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good idea) it must be from a different URL than the Binary.
> 
> Initially would a simple MD5/SHA1 hash check be enough?

Yes.

> Not sure it's straight forward to check digital signatures in Flex/AS. Anyone have experience with this?

Let's see what digital signature support eventually comes out of Infra.

And yes it would be interesting to know what signature support there is in FlashPlayer and/or Flex SDK.

Regards,
Dave

> 
> Thanks,
> Justin

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Justin Mclean <ju...@classsoftware.com>]

Hi,

>> 2.  The installer downloads the binary distribution of the Apache Flex
>> sdk.  Should the installer programatically verify the downloaded binary
>> file's signature before uncompressing it?
> 
> That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good idea) it must be from a different URL than the Binary.

Initially would a simple MD5/SHA1 hash check be enough? Not sure it's straight forward to check digital signatures in Flex/AS. Anyone have experience with this?

Thanks,
Justin

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Dave Fisher <da...@comcast.net>]

On Jul 16, 2012, at 4:19 PM, Om wrote:

> (Carol/Alex, please free to jump in as well)
> 
> This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you
> download a binary file.
> For this discussion, the InstallApacheFlex AIR app = 'Installer'
> 
> 1.  Should the installer be signed in the same way as the Apache Flex SDK
> binary is signed?  The process for signing AIR apps is described here
> [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
> How do we do this in the Apache way?

There is no established way to do this at this time. But that does not mean that these needs are not being discussed. The proper way to proceed is to subscribe to infrastructure-dev@apache.org (a private list) and then send an email with the subject: "Apache Flex: Digitally Signing Air Applications" and include this information. This path won't be quick, but Flex is not alone, other projects like OpenOffice are asking a similar question. The likely process will involve a buildbot under the control of Apache Infrastructure - this will involve an Apache.org certificate and the keys will be very closely held. Project specific certs are one possibility.

Are there any dependencies to building this AIR app beyond those for Apache Flex?

You could get a simpler answer from infra-dev than I think...

> 
> 2.  The installer downloads the binary distribution of the Apache Flex
> sdk.  Should the installer programatically verify the downloaded binary
> file's signature before uncompressing it?

That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good idea) it must be from a different URL than the Binary.

> 
> 3.  I see that mirrors are preferred over downloading directly from Apache
> servers.  Is there a standard list of mirror locations that I can access
> from somewhere?  I think I will need to modify the installer to dynamically
> select a mirror for downloading from, right?

Yes. Take a look at http://incubator.apache.org/odftoolkit/downloads.html

Note the use of closer.cgi - this helps select an appropriate mirror from the Apache Mirror network.

With the appropriate parameters you cause it return the url. This will hide the details of the Apache Mirror network allowing the mirror operators to make whatever changes are needed as operators are added and removed.

Regards,
Dave

> 
> [1]
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> 
> Thanks,
> Om

Re: [MENTOR] InstallApacheFlex AIR app related questions

[Carol Frampton <cf...@adobe.com>]

You asked somewhere how you sign your app in the Apache way.  The process
is somewhat documented here [1].

The rough steps you need to follow are:

1)  Create a key.
2)  Make sure the public part of your key is on one of the public servers.
3)  Add your key to
https://svn.apache.org/repos/asf/incubator/flex/trunk/KEYS.
4)  Ideally your key would be signed by others so it is linked into the
Apache web of trust.  Mine is not.
5)  Use the script sign_and_hash.sh which I just added to a new build
subdirectory to sign your artifacts.
Read the header of the scripts for instructions.  You will need your
private key.

Or, when you're ready, I can sign it.

[1] http://www.apache.org/dev/release-signing.html

Carol

On 7/16/12 7 :19PM, "Om" <bi...@gmail.com> wrote:

>(Carol/Alex, please free to jump in as well)
>
>This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you
>download a binary file.
>For this discussion, the InstallApacheFlex AIR app = 'Installer'
>
>1.  Should the installer be signed in the same way as the Apache Flex SDK
>binary is signed?  The process for signing AIR apps is described here
>[1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_ap
>ps_4.html>]
>How do we do this in the Apache way?
>
>2.  The installer downloads the binary distribution of the Apache Flex
>sdk.  Should the installer programatically verify the downloaded binary
>file's signature before uncompressing it?
>
>3.  I see that mirrors are preferred over downloading directly from Apache
>servers.  Is there a standard list of mirror locations that I can access
>from somewhere?  I think I will need to modify the installer to
>dynamically
>select a mirror for downloading from, right?
>
>[1]
>http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_
>4.html
>
>Thanks,
>Om