commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Code signing
Date Wed, 02 Jul 2014 06:32:03 GMT
On 02/07/2014 00:21, Gary Gregory wrote:
> Are we going to distribute signed and unsigned versions of the same files?

For Commons Daemon 1.0.15, yes, since we already have the unsigned
version on /dist and I don't think we should change that in any way. For
new releases I'd expect we'd just distribute the signed versions.

> How does this relate to signing jars? Are we going to do that as well?

The code signing system being investigated supports signing of JARs (and
a bunch of other stuff) as well as Windows binaries. At this point
Tomcat is only looking to sign the Windows binaries (to solve [1]) so it
is only the Commons Daemon binaries for Windows (procrun) that I am
looking to sign at this point.

Note that signing the JARs as well would incur an additional cost and,
since there is no requirement for that at this point, it isn't something
I'm planning on implementing.



> Gary
> <div>-------- Original message --------</div><div>From: Mark Thomas
<> </div><div>Date:07/01/2014  15:53  (GMT-05:00) </div><div>To:
Commons Developers List <> </div><div>Subject: Code
signing </div><div>
> </div>All,
> You may be aware that the ASF is currently evaluating an external code
> signing service. So far, things are looking code. Assuming it moves
> forward, Apache Tomcat is going to be used as a guinea pig for the live
> service. Some of the components Tomcat wants to sign are the procrun
> binaries from Commons Daemon.
> There is a cost associated with each signing of a group of files so it
> makes sense to sign the procrun binaries once and distribute the signed
> versions from Commons.
> The current plan is that code will be signed by a certificate associated
> with a PMC, with individual RM's being granted the ability to request
> signing on behalf of the PMC as necessary.
> With this in mind, I'd like to propose the following process for signing
> Commons Daemon 1.0.15. (I'll do most of the leg work.)
> 1. Set up the Commons PMC signing org.
> 2. Add me to that org.
> 3. Download the procrun binaries, validate them, and get them signed.
> 4. Propose the signed binaries for release
> 5. We VOTE (hopefully a simple process)
> 6. Add them along-side the unsigned binaries at:
> Hopefully, future releases will be signed at build time but that will
> require some integration work (I'm currently working on a PoC with the
> Tomcat build process).
> If you have any concerns about the above, please speak up now.
> Cheers,
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message