www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Signing jars
Date Wed, 07 Sep 2011 23:42:32 GMT
I know I'm walking into the middle of this, ...

I assume that whatever the signing of a ready-to-release artifact is, the signature is effectively
external (i.e, if there is an embedded signature, it is essentially removed and a placeholder
exists in the document as signed.)

If the signature is external in the first place, this is easier.  And where there is a fixed
way of signing code, as in Microsoft EXE and other artifacts, it might get a little weird
since you want the release signature to be the one that is checked automatically by system
functions, so the committer's signature has to be "out of sight" as far as those functions
are concerned.

There are procedures for countersigning signatures.  Wouldn't that work?  There is still a
problem for who does that, and the space taken by the combination if embedded.  But in no
way is there removal or replacement of the signature of the creator.  It is preserved in some
way. The countersigning signifies whatever additional level of approval that applies, and
it should only be used for that purpose.  

Of course, verification is trickier, because there are two signatures to check, but it can
probably be done in a way where only the counter-signature is what folks use to satisfy themselves
as to the authenticity of a released artifact.  And it is not everyone who needs to know the
procedure for verifying the committer's signature.

I'm not digging any further into details, because I could be looking at a scenario that doesn't
apply anyhow.

 - Dennis

[Note that this is not about the CA kind of certification for establishing that the signer
is the entity it is alleged to be.  That is an independent and still-relevant consideration.]

-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net] 
Sent: Wednesday, September 07, 2011 15:43
To: infrastructure-dev@apache.org
Cc: Garrett Serack
Subject: Re: Signing jars

On 9/7/2011 12:03 PM, Benson Margulies wrote:
> i don't think I'm inventing a new code signing method. If the ASF had
> an intermediate CA certificate signed by a root, and issued individual
> code signing certificates to developers, and developers signed jars
> with these as part of being release managers, my theory is that all
> would be well

Precisely.  So don't ask me why Microsoft, for one, refused to implement
this sane schema, but believe me, a few folks such as Garrett Serack at
Microsoft have raised this issue to them repeatedly.

I don't know what sunoracle does with Java code signing, which is why I'm
very grateful that some .jar signing fans have jumped on this topic :)

> So, assuming I'm wrong, if you want 'semantics 1', what's your view on
> 'voting on signatures' and the existing PGP signatures? This is not a
> rhetorical question at all.

You are right, it's not, and as the package (binary, .msi, .jar) is then
modified, it will be up to the committer to trust that package.

I have a new contact whom I'll brief on how we conduct dev@ discussion
and invite him into the loop.  Garrett, I'm happy to also get your coapp
team plugged in at the same time, particularly if you can point out the
subject matter experts on your project.

View raw message