ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Boudnik <...@apache.org>
Subject Re: Signing Ignite artifacts
Date Wed, 14 Jan 2015 19:53:18 GMT
What Brane said. Also, you can just use your own GPG key, but it'd be good to
have signed by others with trusted keys.

Perhaps some of the mentors key sign your published keys. Considering how
spread the community is we can perhaps do a key-signing over the video call.

But using the ASF service would be most straight forward way, I think


On Wed, Jan 14, 2015 at 02:20PM, Branko ─îibej wrote:
> On 14.01.2015 10:40, Sergey Evdokimov wrote:
> > Hello,
> >
> > I'm working on Ignite release process.
> >
> > All release artifacts must be signed. Does we have a key to sign GridGain
> > artifacts or I should generate it? If I will generate key how to make
> > public key trusted?
> They will not be GridGain artefacts, that's for sure. :)
> > I've created TeamCity configuration that build Nightly builds and upload it
> > to https://repository.apache.org/content/repositories/snapshots . (TeamCity
> > configuration:
> >
> > )
> The ASF recently started a code-signing service, however, I'm fairly
> sure that one of the prerequisites is that the artefacts are built on
> ASF infrastructure, not just anywhere.
> Here's the forwarded announcement:
> ---------- Forwarded message ----------
> From: *Mark Thomas* <markt@apache.org <mailto:markt@apache.org>>
> Date: Mon, Nov 17, 2014 at 6:30 AM
> Subject: Code signing service now available
> To: "infrastructure@apache.org <mailto:infrastructure@apache.org>"
> <infrastructure@apache.org <mailto:infrastructure@apache.org>>
> The ASF Infrastructure team is pleased to announce the availability of a
> new code signing service for Java, Windows and Android applications.
> This service is available to any Apache project to use to sign their
> releases.
> After a great deal of research, we have chosen Symantec's Secure App
> Service offering to provide code signing service. This allows us to
> granularly permit access; and each PMC will have their own
> certificate(s) for signing. The per-project nature of certificate
> issuance allows us to revoke a signature without disrupting other projects.
> This service will permit projects to sign artifacts either via a web GUI
> or a SOAP API. In addition a Java client and an ant task for signing
> have been written and a maven plugin is under development.
> This service results in a 'pay for what you use' scenario, so PMCs are
> asked to use the service responsibly. To that end, projects will have
> access to a test environment to ensure that they have their process
> working correctly before consuming actual credits.
> Thus far, we've had two projects who have helped testing this and
> working out process for which we are very grateful. Those projects,
> Commons and Tomcat, have successfully released signed artifacts
> recently. (Commons Daemon 1.0.15 and Tomcat 8.0.15)
> Projects that wish to use this service should open an Infra JIRA ticket
> under the Codesigning component.
> If you have any questions about this new service then feel free to ask
> them on the infrastructure mailing list. This week is also an
> opportunity to discuss this new service face-to-face with the
> Infrastructure Team at ApacheCon EU. Come along to one of the infra
> presentations or find one of us during one of the breaks.
> Mark
> on behalf of the ASF Infrastructure Team

View raw message