incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Om <bigosma...@gmail.com>
Subject Re: [MENTOR] How to handle Air app signing certificate
Date Wed, 15 Aug 2012 23:30:35 GMT
So how does this sound:


   - We don't keep the .p12 file in the repo.
   - We ask developers who want to work with the source code to generate a
   .p12 file (using FB or similar tools) for themselves
   - They should not check it in (add *.p12 to svn ignore?)
   - The release managers would create a .p12 certificate(and a pass code)
   as the official one.  This will not be checked in.
   - A release build is created using the source code + .p12 + pass code
   combination.
   - Whoever is the current release manager gets the .p12 certificate +
   pass code from the previous release manager to make a release build.
   - It is up to the release mangers to keep the .p12 and pass code
   secure.

Note:  We may need two release managers for every release - one for windows
and one for Mac since air apps for a platform need to built on the same
platform.

P.S.:  I have a thread going on in infra-dev to get an official Apache.org
or Apache Flex AIR app signing certificate.  You can follow it here: [1]

Thanks,
Om

[1] http://markmail.org/message/5te7ygbwzxulhpyj

On Wed, Aug 15, 2012 at 2:25 PM, Clint Modien <cmodien@gmail.com> wrote:

> Anyone could sign code with the cert if they know/crack the password for
> the private key.
>
> I would keep all certs out of the repo in the interest of security and
> keep them in a safe place and only grant access to people who create
> distribution packages.
>
> If you're doing dev… you can generate your own cert.
>
> On Aug 15, 2012, at 1:05 PM, Om wrote:
>
> >>
> >> I fixed all the issues identified by the RAT check except
> certificate.p12.
> >> That's a binary file and I don't think it can go in the source
> >> distribution.
> >>
> >> I'll leave that to Om and/or Erik to figure out.
> >>
> >>
> > It makes sense for any developer who wants to work on it to create their
> > own certificate.  Flash Builder makes it very seamless.
> >
> > But, what about official releases?  We need to have and maintain one
> > certificate so that the app upgrades on client's machines go smoothly.
> >
> > .p12 files can be created, modified etc. using a variety of tools like
> > Flash Builder, OpenSSL, etc.  Can we make an exception for p12 files and
> > keep it in the source?
> >
> > Thanks,
> > Om
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message