www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Wed, 13 Jun 2012 15:37:43 GMT
I expect Jürgen will address the time-value of resolving this.  I want to comment on the general

It is generally the case that having binary distributions that can be certified for a particular
version of Windows (including the forthcoming Windows 8), the binaries must be signed with
Authenticode signatures.  This applies to everything that is installed/registered with the
system (DLLs, etc.) and the distribution package itself (typically, an MSI or an EXE that
installs and runs an MSI).  Previously, this was provided by Oracle in the signing of the
OpenOffice.org Windows binary distributions that were created under Oracle auspices.

Because the obtaining of a key pair for the PKI that is used is expensive and requires vetting
of the organization that the key pair is issued to, there is a problem with having them for
individual projects.    There is also, as already understood in other discussions on this
issue, a problem about protection of the private key and how that private key becomes applied
in the signing of Windows binaries that accompany an Apache Release.

One avenue to explore is having ASF become a Certificate Authority (CA) for issuing Authenticode
certificates, Java certificates, etc.  Since it is technically ASF that is the legal entity
and the one that needs to carry out whatever is required to protect private keys, being able
to issue them (and revoke them) for individual projects might be expedient and far more efficient.
 The integrity of the signing procedure and the protection of the private keys are unavoidably
a matter for ASF concern and attention.

It is also necessary to address the need for infrastructure support of the release management
process so that code is signed at an appropriate point in the establishment of release artifacts
for release review and approval.  I'm assuming that the code signing has to happen at essentially
by the same time as the signing that is done now by PMC committers and release managers to
lock down the complete set of release artifacts and ensure their integrity from then on. 
I don't have enough understanding to be helpful with that part.  It has to be addressed in
any solution involving Authenticode and the Java equivalent for signing artifacts, though,
along with the additional problem of secure custody and authorized use of the private keys
used in such signing. 

 - Dennis

-----Original Message-----
From: Tony Stevenson [mailto:pctony@apache.org] 
Sent: Wednesday, June 13, 2012 01:40
To: infrastructure-dev@apache.org
Subject: Re: Official code signing certificate

Jürgen Schmidt wrote on Wed, Jun 13, 2012 at 09:52:13AM +0200:
> On 6/11/12 4:03 PM, Jürgen Schmidt wrote:
> > Hi,
> > 
> > I would like to ask what step are necessary to get an official Apache
> > code signing certificate.
> > 
> > We would need such a certificate to sign our Apache OpenOffie binary
> > releases and make them trusted in the windows world with Apache as
> > publisher.
> > 
> > Note: 87% of our >3000000 downloads of AOO 3.4 are from Windows
> > 
> > Especially with the upcoming Windows 8 app store this becomes even more
> > important.
> > 
> > We had signed our releases ion the past and we have some tooling in
> > place in our build process. The details course have to be figured out
> > but that should be hopefully a minor problem.
> > 
> > The questions are
> > 1. how can we get an official valid Apache code signing certificate
> > 1.1 which steps are necessary because it is not for free
> > 
> > 2. how can we use it in our build process or better how can we make it
> > useable for a limited group of users (I would say at least 3 PMC members
> > to have enough fall backs) to sign the final releases.
> > 
> > Any feedback or hint how to address this is correctly are welcome.
> Because the fact that it is potentially time critical (details can I
> provide via private email on demand) does any body have some information
> for me?


We do not currently have a mechanism in place to offer this.  Several people have started
conversations, but nothing has ever come of it.  If it was this critical perhaps it should
have been mentioned earlier, ideally on the incubator proposal. 

First up is the cost with purchasing these certs, we would almost certainly need at least
one cert per PMC, and AOO would likely need to share one with other podlings.  We would then
need to setup a corporate account and issue/manage them ourselves.  None of which we have,
nor were any of these budgeted for. 

This is not a 'No you cant have it' - but it is a 'we dont have it yet, and we'd need to do
it'.  With that in mind you may want to give us any details you have.  If they are private,
please use  infrastructure-private@  if they are hyper-sensitive, or security related please
use root@ 

> Juergen



Tony Stevenson

tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66

View raw message