www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Wed, 13 Jun 2012 17:44:53 GMT
Yes, a PFX file holds the private key of a PKI key pair.  The individual one can be used for
your signing things.  That is technically not needed for releases, since the ASF process uses
external signatures employing registered public keys of the committers who (counter-)sign
the artifacts.

For Authenticode signatures which are embedded in the artifacts themselves (as you may have
done), there needs to be a certificate for Apache OpenOffice, not for you or I or any other
committer.  There has to be very strong control of that private key and its use in signings
to protect against it being used in signing counterfeit binaries, especially for malicious
software.  (Microsoft just revoked a CA because of a vulnerability that allowed just that
kind of thing.)

If the ASF were a CA, they could issue the key pair for Apache OpenOffice (still subject to
all of the safeguards required) as well as ones for other projects.  This also means they
would be individually revocable if that became necessary.  This avoids requiring the Secretary
of the Foundation or some other official representative to obtain Authenticode certificates
for individual projects.  (Note: There could be a single ASF certificate used for all projects,
but it makes governance even trickier and revocation becomes super-painful.)

 - Dennis

-----Original Message-----
From: Jürgen Schmidt [mailto:jogischmidt@googlemail.com] 
Sent: Wednesday, June 13, 2012 09:11
To: infrastructure-dev@apache.org
Subject: Re: Official code signing certificate

On 6/13/12 5:37 PM, Dennis E. Hamilton wrote:
> I expect Jürgen will address the time-value of resolving this. 

yes I will send a short note to infrastructure-private

 I want to comment on the general request.

[ ... ]
> One avenue to explore is having ASF become a Certificate Authority (CA) for issuing Authenticode
certificates, Java certificates, etc.  Since it is technically ASF that is the legal entity
and the one that needs to carry out whatever is required to protect private keys, being able
to issue them (and revoke them) for individual projects might be expedient and far more efficient.
 The integrity of the signing procedure and the protection of the private keys are unavoidably
a matter for ASF concern and attention.
[ ... ]

Thanks Dennis for explaining it.

In the past we used a certificate "Personal Information Exchange" pfx
file + related password during the build and packing process to sign the
different artifatcs that have to be signed. I don't know yet all the
details and doing currently some analysis how the process worked.

But it seem that pfx files can be an approach to manage the certificates
at least for code signing.

I will provide more information asap.


>  - Dennis
> -----Original Message-----
> From: Tony Stevenson [mailto:pctony@apache.org] 
> Sent: Wednesday, June 13, 2012 01:40
> To: infrastructure-dev@apache.org
> Subject: Re: Official code signing certificate
> Jürgen Schmidt wrote on Wed, Jun 13, 2012 at 09:52:13AM +0200:
>> On 6/11/12 4:03 PM, Jürgen Schmidt wrote:
>>> Hi,
>>> I would like to ask what step are necessary to get an official Apache
>>> code signing certificate.
>>> We would need such a certificate to sign our Apache OpenOffie binary
>>> releases and make them trusted in the windows world with Apache as
>>> publisher.
>>> Note: 87% of our >3000000 downloads of AOO 3.4 are from Windows
>>> Especially with the upcoming Windows 8 app store this becomes even more
>>> important.
>>> We had signed our releases ion the past and we have some tooling in
>>> place in our build process. The details course have to be figured out
>>> but that should be hopefully a minor problem.
>>> The questions are
>>> 1. how can we get an official valid Apache code signing certificate
>>> 1.1 which steps are necessary because it is not for free
>>> 2. how can we use it in our build process or better how can we make it
>>> useable for a limited group of users (I would say at least 3 PMC members
>>> to have enough fall backs) to sign the final releases.
>>> Any feedback or hint how to address this is correctly are welcome.
>> Because the fact that it is potentially time critical (details can I
>> provide via private email on demand) does any body have some information
>> for me?
> Juergen, 
> We do not currently have a mechanism in place to offer this.  Several people have started
conversations, but nothing has ever come of it.  If it was this critical perhaps it should
have been mentioned earlier, ideally on the incubator proposal. 
> First up is the cost with purchasing these certs, we would almost certainly need at least
one cert per PMC, and AOO would likely need to share one with other podlings.  We would then
need to setup a corporate account and issue/manage them ourselves.  None of which we have,
nor were any of these budgeted for. 
> This is not a 'No you cant have it' - but it is a 'we dont have it yet, and we'd need
to do it'.  With that in mind you may want to give us any details you have.  If they are private,
please use  infrastructure-private@  if they are hyper-sensitive, or security related please
use root@ 
>> Juergen

View raw message