You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Jürgen Schmidt <jo...@googlemail.com> on 2012/03/26 15:32:06 UTC
[MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
On 3/23/12 7:25 AM, lou ql wrote:
> on Windows 7, when I double-click the package to install, a User Account
> Control message will appear and the publisher is "Unknown", will this be
> fixed at the final version?
>
good question where I don't have an answer yet. We have to discuss this
with legal and/or with our mentors.
I think we will need a trustful certificate that is accepted and where
we (or at least one person providing the binary Windows builds) has
access to the private information ...
I don't know if such a certificate already exists and if a process to
use it is in an appropriate and secure way exists as well.
@our mentors: can you provide any information or advice how we can
address this issue?
I assuem it will become even more important for Windows 8.
Juergen
Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not
signed
Posted by Jürgen Schmidt <jo...@googlemail.com>.
On 3/26/12 5:09 PM, Rob Weir wrote:
> On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
> <jo...@googlemail.com>wrote:
>
>> On 3/23/12 7:25 AM, lou ql wrote:
>>
>>> on Windows 7, when I double-click the package to install, a User Account
>>> Control message will appear and the publisher is "Unknown", will this be
>>> fixed at the final version?
>>>
>>>
>> good question where I don't have an answer yet. We have to discuss this
>> with legal and/or with our mentors.
>>
>> I think we will need a trustful certificate that is accepted and where we
>> (or at least one person providing the binary Windows builds) has access to
>> the private information ...
>>
>> I don't know if such a certificate already exists and if a process to use
>> it is in an appropriate and secure way exists as well.
>>
>
>
> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases. This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds. But there was no indication of time
> frame.
>
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
>
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature. So how we would integrate code signing with
> release procedures is an interesting question. Ditto for how we would
> protect our signing key. I assume we would not want want 90 PPMC members
> to have access to it.
We sign the downloadable archives. That means signing the exe, msi with
a cert before we build the archive should be ok.
I know that we did some sophisticated 2 step signing where we signed
dlls (IE plugins) first and included this signed dlls. The whole setup
package was signed again.
The question is more if we can get such an official cert and how we can
use it.
Any ideas how we can drive this important question forward.
Juergen
>
>
>>
>> @our mentors: can you provide any information or advice how we can address
>> this issue?
>>
>> I assuem it will become even more important for Windows 8.
>>
>>
>> Juergen
>>
>>
>
Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not
signed
Posted by Joost Andrae <Jo...@gmx.de>.
Hi,
> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases. This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds. But there was no indication of time
> frame.
>
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
>
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature. So how we would integrate code signing with
> release procedures is an interesting question. Ditto for how we would
> protect our signing key. I assume we would not want want 90 PPMC members
> to have access to it.
>
as far as I remember (IMHO) the signature is person and system bound so
there might be a problem to integrate it into a server farm. If we need
certificates (at least for Win32 binaries) then this is something to
think about (ASAP).
Kind regards, Joost
Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
Posted by Rob Weir <ro...@apache.org>.
On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
<jo...@googlemail.com>wrote:
> On 3/23/12 7:25 AM, lou ql wrote:
>
>> on Windows 7, when I double-click the package to install, a User Account
>> Control message will appear and the publisher is "Unknown", will this be
>> fixed at the final version?
>>
>>
> good question where I don't have an answer yet. We have to discuss this
> with legal and/or with our mentors.
>
> I think we will need a trustful certificate that is accepted and where we
> (or at least one person providing the binary Windows builds) has access to
> the private information ...
>
> I don't know if such a certificate already exists and if a process to use
> it is in an appropriate and secure way exists as well.
>
There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases. This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds. But there was no indication of time
frame.
Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *
And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature. So how we would integrate code signing with
release procedures is an interesting question. Ditto for how we would
protect our signing key. I assume we would not want want 90 PPMC members
to have access to it.
>
> @our mentors: can you provide any information or advice how we can address
> this issue?
>
> I assuem it will become even more important for Windows 8.
>
>
> Juergen
>
>