commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <>
Subject RE: Code signing
Date Tue, 01 Jul 2014 23:21:06 GMT
Are we going to distribute signed and unsigned versions of the same files?  How does this
relate to signing jars? Are we going to do that as well? 


<div>-------- Original message --------</div><div>From: Mark Thomas <>
</div><div>Date:07/01/2014  15:53  (GMT-05:00) </div><div>To: Commons
Developers List <> </div><div>Subject: Code signing

You may be aware that the ASF is currently evaluating an external code
signing service. So far, things are looking code. Assuming it moves
forward, Apache Tomcat is going to be used as a guinea pig for the live
service. Some of the components Tomcat wants to sign are the procrun
binaries from Commons Daemon.

There is a cost associated with each signing of a group of files so it
makes sense to sign the procrun binaries once and distribute the signed
versions from Commons.

The current plan is that code will be signed by a certificate associated
with a PMC, with individual RM's being granted the ability to request
signing on behalf of the PMC as necessary.

With this in mind, I'd like to propose the following process for signing
Commons Daemon 1.0.15. (I'll do most of the leg work.)

1. Set up the Commons PMC signing org.
2. Add me to that org.
3. Download the procrun binaries, validate them, and get them signed.
4. Propose the signed binaries for release
5. We VOTE (hopefully a simple process)
6. Add them along-side the unsigned binaries at:

Hopefully, future releases will be signed at build time but that will
require some integration work (I'm currently working on a PoC with the
Tomcat build process).

If you have any concerns about the above, please speak up now.



To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message