www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: [Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Wed, 14 Dec 2011 23:06:42 GMT

On 15/12/2011, at 9:31 AM, William A. Rowe Jr. wrote:

> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
>> On the subject of signing jars, Windows binaries and .msi installer
>> packages, it seems that infra-dev is partial to the ability to revoke
>> package signatures if an artifact is not released or is found to have
>> been corrupted, and that the code signing service from Symantec /
>> VeriSign / Thawte is the way to go here.
>> 
>> I spoke with Richard and Dean who confirmed that this service would
>> be offered at no cost to the ASF.  User accounts would be as one of two
>> roles, an administrator (root-ish) level and a publisher (committer)
>> who needs to sign packages.  There is no integration at present for
>> PAM style authentication into our ldap, or SSO solution in this
>> specific service so we would have to create accounts for each committer
>> who is doing signed binary releases.
>> 
>> It is batch-able and can be automated.  Obviously there is some work
>> around setting up that functionality, but it can run on the signers
>> own PC as opposed to a central repository.  Here's a background paper
>> on the code signing portal itself;
>> 
>> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
>> 
>> It is due a major revision entering(or already in?) beta.  That version
>> introduces support for .jar signing in addition to Win binary/msi signing.
>> I asked  and they are researching whether Apache could be invited to
>> participate in the beta, since we would only just be getting up to speed
>> by the time that portal version launches.
>> 
>> One major step would be for Sam, who is both our Legal VP and Infra VP,
>> to review the actual agreement/paperwork in detail and determine that
>> it would be something we are able to sign.  Dean, could you forward that
>> to Sam, even as we all learn more about the service and come to a decision
>> of whether we should adopt it or not?
> 
> What say we?
> 
> Has everyone interested had an opportunity to raise any questions already?
> 
> I'm +1 here, this seems like the straightest line, and I would love to start
> investigating how to automate using their API.  I'd like to see if we can't
> jump aboard their beta for .jar signing, too.
> 
> Are those interested in .jar signing/ant, maven integration ready to take
> a look at this?

I'm interested, but a bit short on time. If it did get set up I could probably help with those
things though.

- Brett

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter






Mime
View raw message