www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <d...@muse.net.nz>
Subject Re: [Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Wed, 18 Jan 2012 09:54:52 GMT
> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> > On the subject of signing jars, Windows binaries and .msi installer
> > packages, it seems that infra-dev is partial to the ability to revoke
> > package signatures if an artifact is not released or is found to have
> > been corrupted, and that the code signing service from Symantec /
> > VeriSign / Thawte is the way to go here.
> >
> > I spoke with Richard and Dean who confirmed that this service would
> > be offered at no cost to the ASF.  User accounts would be as one of two
> > roles, an administrator (root-ish) level and a publisher (committer)
> > who needs to sign packages.  There is no integration at present for
> > PAM style authentication into our ldap, or SSO solution in this
> > specific service so we would have to create accounts for each committer
> > who is doing signed binary releases.
> >
> > It is batch-able and can be automated.  Obviously there is some work
> > around setting up that functionality, but it can run on the signers
> > own PC as opposed to a central repository.  Here's a background paper
> > on the code signing portal itself;
> >
> > http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
> >
> > It is due a major revision entering(or already in?) beta.  That version
> > introduces support for .jar signing in addition to Win binary/msi signing.
> > I asked  and they are researching whether Apache could be invited to
> > participate in the beta, since we would only just be getting up to speed
> > by the time that portal version launches.
> >
> > One major step would be for Sam, who is both our Legal VP and Infra VP,
> > to review the actual agreement/paperwork in detail and determine that
> > it would be something we are able to sign.  Dean, could you forward that
> > to Sam, even as we all learn more about the service and come to a decision
> > of whether we should adopt it or not?
> What say we?
> Has everyone interested had an opportunity to raise any questions already?
> I'm +1 here, this seems like the straightest line, and I would love to start
> investigating how to automate using their API.  I'd like to see if we can't
> jump aboard their beta for .jar signing, too.
> Are those interested in .jar signing/ant, maven integration ready to take
> a look at this?

Yup, I am interested in this for CouchDB for msi/exe signing. We don't yet
do MSI packaging but it's not far off.


View raw message