incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
Date Mon, 26 Mar 2012 15:09:25 GMT
On Mon, Mar 26, 2012 at 9:32 AM, J├╝rgen Schmidt

> On 3/23/12 7:25 AM, lou ql wrote:
>> on Windows 7, when I double-click the package to install, a User Account
>> Control message will appear and the publisher is "Unknown", will this be
>> fixed at the final version?
> good question where I don't have an answer yet. We have to discuss this
> with legal and/or with our mentors.
> I think we will need a trustful certificate that is accepted and where we
> (or at least one person providing the binary Windows builds) has access to
> the private information ...
> I don't know if such a certificate already exists and if a process to use
> it is in an appropriate and secure way exists as well.

There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases.  This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds.  But there was no indication of time

Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *

And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature.   So how we would integrate code signing with
release procedures is an interesting question.  Ditto for how we would
protect our signing key.  I assume we would not want want 90 PPMC members
to have access to it.

> @our mentors: can you provide any information or advice how we can address
> this issue?
> I assuem it will become even more important for Windows 8.
> Juergen

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message