[MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed

[Jürgen Schmidt <jo...@googlemail.com>]

On 3/23/12 7:25 AM, lou ql wrote:
> on Windows 7, when I double-click the package to install, a User Account
> Control message will appear and the publisher is "Unknown", will this be
> fixed at the final version?
>

good question where I don't have an answer yet. We have to discuss this 
with legal and/or with our mentors.

I think we will need a trustful certificate that is accepted and where 
we (or at least one person providing the binary Windows builds) has 
access to the private information ...

I don't know if such a certificate already exists and if a process to 
use it is in an appropriate and secure way exists as well.

@our mentors: can you provide any information or advice how we can 
address this issue?

I assuem it will become even more important for Windows 8.


Juergen

Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed

[Jürgen Schmidt <jo...@googlemail.com>]

On 3/26/12 5:09 PM, Rob Weir wrote:
> On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
> <jo...@googlemail.com>wrote:
>
>> On 3/23/12 7:25 AM, lou ql wrote:
>>
>>> on Windows 7, when I double-click the package to install, a User Account
>>> Control message will appear and the publisher is "Unknown", will this be
>>> fixed at the final version?
>>>
>>>
>> good question where I don't have an answer yet. We have to discuss this
>> with legal and/or with our mentors.
>>
>> I think we will need a trustful certificate that is accepted and where we
>> (or at least one person providing the binary Windows builds) has access to
>> the private information ...
>>
>> I don't know if such a certificate already exists and if a process to use
>> it is in an appropriate and secure way exists as well.
>>
>
>
> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases.  This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds.  But there was no indication of time
> frame.
>
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
>
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature.   So how we would integrate code signing with
> release procedures is an interesting question.  Ditto for how we would
> protect our signing key.  I assume we would not want want 90 PPMC members
> to have access to it.

We sign the downloadable archives. That means signing the exe, msi with 
a cert before we build the archive should be ok.

I know that we did some sophisticated 2 step signing where we signed 
dlls (IE plugins) first and included this signed dlls. The whole setup 
package was signed again.

The question is more if we can get such an official cert and how we can 
use it.

Any ideas how we can drive this important question forward.

Juergen

>
>
>>
>> @our mentors: can you provide any information or advice how we can address
>> this issue?
>>
>> I assuem it will become even more important for Windows 8.
>>
>>
>> Juergen
>>
>>
>

Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed

[Joost Andrae <Jo...@gmx.de>]

Hi,

> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases.  This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds.  But there was no indication of time
> frame.
>
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
>
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature.   So how we would integrate code signing with
> release procedures is an interesting question.  Ditto for how we would
> protect our signing key.  I assume we would not want want 90 PPMC members
> to have access to it.
>

as far as I remember (IMHO) the signature is person and system bound so 
there might be a problem to integrate it into a server farm. If we need 
certificates (at least for Win32 binaries) then this is something to 
think about (ASAP).

Kind regards, Joost

Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed

[Rob Weir <ro...@apache.org>]

On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
<jo...@googlemail.com>wrote:

> On 3/23/12 7:25 AM, lou ql wrote:
>
>> on Windows 7, when I double-click the package to install, a User Account
>> Control message will appear and the publisher is "Unknown", will this be
>> fixed at the final version?
>>
>>
> good question where I don't have an answer yet. We have to discuss this
> with legal and/or with our mentors.
>
> I think we will need a trustful certificate that is accepted and where we
> (or at least one person providing the binary Windows builds) has access to
> the private information ...
>
> I don't know if such a certificate already exists and if a process to use
> it is in an appropriate and secure way exists as well.
>


There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases.  This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds.  But there was no indication of time
frame.

Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *

And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature.   So how we would integrate code signing with
release procedures is an interesting question.  Ditto for how we would
protect our signing key.  I assume we would not want want 90 PPMC members
to have access to it.


>
> @our mentors: can you provide any information or advice how we can address
> this issue?
>
> I assuem it will become even more important for Windows 8.
>
>
> Juergen
>
>