incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joost Andrae <>
Subject Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
Date Mon, 26 Mar 2012 15:27:04 GMT

> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases.  This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds.  But there was no indication of time
> frame.
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature.   So how we would integrate code signing with
> release procedures is an interesting question.  Ditto for how we would
> protect our signing key.  I assume we would not want want 90 PPMC members
> to have access to it.

as far as I remember (IMHO) the signature is person and system bound so 
there might be a problem to integrate it into a server farm. If we need 
certificates (at least for Win32 binaries) then this is something to 
think about (ASAP).

Kind regards, Joost

View raw message