incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
Date Mon, 26 Mar 2012 15:09:25 GMT
On Mon, Mar 26, 2012 at 9:32 AM, J├╝rgen Schmidt
<jogischmidt@googlemail.com>wrote:

> On 3/23/12 7:25 AM, lou ql wrote:
>
>> on Windows 7, when I double-click the package to install, a User Account
>> Control message will appear and the publisher is "Unknown", will this be
>> fixed at the final version?
>>
>>
> good question where I don't have an answer yet. We have to discuss this
> with legal and/or with our mentors.
>
> I think we will need a trustful certificate that is accepted and where we
> (or at least one person providing the binary Windows builds) has access to
> the private information ...
>
> I don't know if such a certificate already exists and if a process to use
> it is in an appropriate and secure way exists as well.
>


There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases.  This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds.  But there was no indication of time
frame.

Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *

And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature.   So how we would integrate code signing with
release procedures is an interesting question.  Ditto for how we would
protect our signing key.  I assume we would not want want 90 PPMC members
to have access to it.


>
> @our mentors: can you provide any information or advice how we can address
> this issue?
>
> I assuem it will become even more important for Windows 8.
>
>
> Juergen
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message