incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: [MENTOR ADVICE]]Re: [RC build testing]the .exe packages are not signed
Date Mon, 02 Apr 2012 12:58:26 GMT
On 3/26/12 5:09 PM, Rob Weir wrote:
> On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
> <jogischmidt@googlemail.com>wrote:
>
>> On 3/23/12 7:25 AM, lou ql wrote:
>>
>>> on Windows 7, when I double-click the package to install, a User Account
>>> Control message will appear and the publisher is "Unknown", will this be
>>> fixed at the final version?
>>>
>>>
>> good question where I don't have an answer yet. We have to discuss this
>> with legal and/or with our mentors.
>>
>> I think we will need a trustful certificate that is accepted and where we
>> (or at least one person providing the binary Windows builds) has access to
>> the private information ...
>>
>> I don't know if such a certificate already exists and if a process to use
>> it is in an appropriate and secure way exists as well.
>>
>
>
> There was a mention of this a few weeks ago, that some at Apache were
> exploring the possibility of having code signing certificates for Apache
> releases.  This was in the thread where we were discussing the anti-virus
> warnings about the 3.4 dev builds.  But there was no indication of time
> frame.
>
> Looking at the Verisign website, it looks like a 1-year "Authenticode"
> certificate costs *$499. *
>
> And I assume that signing an EXE or MSI with a cert would break our
> detached PGP signature.   So how we would integrate code signing with
> release procedures is an interesting question.  Ditto for how we would
> protect our signing key.  I assume we would not want want 90 PPMC members
> to have access to it.

We sign the downloadable archives. That means signing the exe, msi with 
a cert before we build the archive should be ok.

I know that we did some sophisticated 2 step signing where we signed 
dlls (IE plugins) first and included this signed dlls. The whole setup 
package was signed again.

The question is more if we can get such an official cert and how we can 
use it.

Any ideas how we can drive this important question forward.

Juergen

>
>
>>
>> @our mentors: can you provide any information or advice how we can address
>> this issue?
>>
>> I assuem it will become even more important for Windows 8.
>>
>>
>> Juergen
>>
>>
>


Mime
View raw message