community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: Automated ASF GPG signing
Date Fri, 26 Feb 2016 03:01:03 GMT
It seems reasonable to me to tack code signing onto the end of CI builds
from the likes of buildbot and Jenkins. You can then restrict your code
signing service to the robots and avoid the pesky problems humans
introduce into the process.

Daniel Ruggeri

On 2/25/2016 1:57 PM, Christopher wrote:
> The tricky part would be to establish policy and enforcement of its use for
> ASF-releases only. It would probably have to be used for release candidates
> also. It would obviously have to be locked down to release managers, but
> who are the authorized release managers (PMC, committers, other?), and how
> does one tell what is an authorized release artifact? Trust of the system
> might have to rely on audit logs and policy, rather than strict
> enforcement, which isn't idea.
> A related service could possibly be set up, so instead of pushing directly
> to the mirrors, uploading to dist would trigger signing? We'd also probably
> need to address uploading to the Maven Central staging repositories. For
> Maven projects, a maven plugin could easily be written which uses this
> service and replaces the maven-gpg-plugin. It could also be done on deploy,
> en route to the staging repositories.
> An alternative implementation would be that this service would escrow keys
> not just for ASF-wide, but also for

View raw message