www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Mon, 05 Dec 2011 17:52:01 GMT
On the subject of signing jars, Windows binaries and .msi installer
packages, it seems that infra-dev is partial to the ability to revoke
package signatures if an artifact is not released or is found to have
been corrupted, and that the code signing service from Symantec /
VeriSign / Thawte is the way to go here.

I spoke with Richard and Dean who confirmed that this service would
be offered at no cost to the ASF.  User accounts would be as one of two
roles, an administrator (root-ish) level and a publisher (committer)
who needs to sign packages.  There is no integration at present for
PAM style authentication into our ldap, or SSO solution in this
specific service so we would have to create accounts for each committer
who is doing signed binary releases.

It is batch-able and can be automated.  Obviously there is some work
around setting up that functionality, but it can run on the signers
own PC as opposed to a central repository.  Here's a background paper
on the code signing portal itself;


It is due a major revision entering(or already in?) beta.  That version
introduces support for .jar signing in addition to Win binary/msi signing.
I asked  and they are researching whether Apache could be invited to
participate in the beta, since we would only just be getting up to speed
by the time that portal version launches.

One major step would be for Sam, who is both our Legal VP and Infra VP,
to review the actual agreement/paperwork in detail and determine that
it would be something we are able to sign.  Dean, could you forward that
to Sam, even as we all learn more about the service and come to a decision
of whether we should adopt it or not?

Dean and Richard are happy to answer any questions, here's one that
we started during a brief introductory call.  They are just coming
up to speed about how we handle our infrastructure through mailing
lists, so be nice, and please remember reply-to-all if you want them
to respond!

 Q. Support for JavaScript signing for frameworks like ajax?

On 12/5/2011 11:21 AM, Richard Hall wrote:
> I looked into the java script signing that you had asked about and it's not something
that we currently do (although not to say that we couldn't do it).  Is this something that
you're doing today, and if so, what sign tool are you using (jar signer, Microsoft's sign
tool, etc.).  It's our understanding that even if we provide signing for java scripts that
there is currently no way to validate this in any existing infrastructure (browsers, etc.)
unless you've implemented your our own way of doing this.
> Thanks for any additional input you can provide.

View raw message