ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Signing Ignite artifacts
Date Wed, 14 Jan 2015 13:20:32 GMT
On 14.01.2015 10:40, Sergey Evdokimov wrote:
> Hello,
>
> I'm working on Ignite release process.
>
> All release artifacts must be signed. Does we have a key to sign GridGain
> artifacts or I should generate it? If I will generate key how to make
> public key trusted?

They will not be GridGain artefacts, that's for sure. :)

> I've created TeamCity configuration that build Nightly builds and upload it
> to https://repository.apache.org/content/repositories/snapshots . (TeamCity
> configuration:
> http://94.72.60.102/viewType.html?buildTypeId=IgniteBuildsAndUploads_IniteNightlyBuild
> )

The ASF recently started a code-signing service, however, I'm fairly
sure that one of the prerequisites is that the artefacts are built on
ASF infrastructure, not just anywhere.

Here's the forwarded announcement:

---------- Forwarded message ----------
From: *Mark Thomas* <markt@apache.org <mailto:markt@apache.org>>
Date: Mon, Nov 17, 2014 at 6:30 AM
Subject: Code signing service now available
To: "infrastructure@apache.org <mailto:infrastructure@apache.org>"
<infrastructure@apache.org <mailto:infrastructure@apache.org>>


The ASF Infrastructure team is pleased to announce the availability of a
new code signing service for Java, Windows and Android applications.
This service is available to any Apache project to use to sign their
releases.

After a great deal of research, we have chosen Symantec's Secure App
Service offering to provide code signing service. This allows us to
granularly permit access; and each PMC will have their own
certificate(s) for signing. The per-project nature of certificate
issuance allows us to revoke a signature without disrupting other projects.

This service will permit projects to sign artifacts either via a web GUI
or a SOAP API. In addition a Java client and an ant task for signing
have been written and a maven plugin is under development.

This service results in a 'pay for what you use' scenario, so PMCs are
asked to use the service responsibly. To that end, projects will have
access to a test environment to ensure that they have their process
working correctly before consuming actual credits.

Thus far, we've had two projects who have helped testing this and
working out process for which we are very grateful. Those projects,
Commons and Tomcat, have successfully released signed artifacts
recently. (Commons Daemon 1.0.15 and Tomcat 8.0.15)

Projects that wish to use this service should open an Infra JIRA ticket
under the Codesigning component.

If you have any questions about this new service then feel free to ask
them on the infrastructure mailing list. This week is also an
opportunity to discuss this new service face-to-face with the
Infrastructure Team at ApacheCon EU. Come along to one of the infra
presentations or find one of us during one of the breaks.

Mark
on behalf of the ASF Infrastructure Team


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message