www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Wed, 13 Jun 2012 21:18:59 GMT
Thanks Tony,

It is valuable to know that everyone's on the same page in a discussion such as this.

One subtlety that I want to emphasize for everyone watching:  The Certificates required for
Authenticode code signing (and I presume for signing Java code, etc.) are issued specifically
for code signing.  Not any general e-mail, persona non-assured, or self-issued certificate
will do.  They are expensive because of the vetting required before the CA will countersign
any certificate for code-signing and, I suppose, because of how valuable such certificates

I only know about Symantec's VeriSign Code Signing Certificates, <https://www.symantec.com/theme.jsp?themeid=verisign-code-signing&inid=vrsn_symc_cs_index>.
 I've never investigated them for anything but personal use, but this covers the scope: <https://www.symantec.com/verisign/code-signing/microsoft-authenticode>.

I think there are two matters that need to be dealt with beyond coming up with the funding,

 1. Designation of contacts and initial custody of the certificate. I'm not sure what that
drill is -- I've never been anyone but an individual for one of these, and not recently. 
It appears that the private key is going to be generated on the machine with the browser (IE7/8
apparently) that is used to request the certificate, so that will be the immediate point of
custody.  I am not clear how the organizational authentication requirements impact the delivery
process, but the key pair is always generated on the recipient's computer, nowhere else. 
It being kept secure, shared with anyone, and used in signing is a problem for the receiving
organization to deal with.  

 2. Creation of some custody arrangement for the private key and a way to accomplish the signing
at an appropriate place in the development of signed artifacts that go into a release.  Getting
a certificate is easy, apart from the chain of custody and who keeps them safe.  Structuring
the setup of release artifacts so that the code is signed as needed is the biggest speed bump
that I see.

 - Dennis  

-----Original Message-----
From: Tony Stevenson [mailto:pctony@apache.org] 
Sent: Wednesday, June 13, 2012 12:55
To: infrastructure-dev@apache.org; dennis.hamilton@acm.org; jogischmidt@googlemail.com
Subject: Re: Official code signing certificate

Guys, thanks all the same but I do not need a lesson in PKI.  It's not rocket science. 

What we do need to do is look into options for a managed PKI, the issue with these is the
massive costs, for which we have not budgeted as it was not requested by anyone during the
budgeting process. 
Do you have any suggestions on which vendors we should start with?  Symantec? Verisign? Once
we identify a vendor we will need to make sure it works, then we might well need to approach
the board to approve the funding. 

Dennis E. Hamilton wrote on Wed, Jun 13, 2012 at 10:44:53AM -0700:
> Yes, a PFX file holds the private key of a PKI key pair.  The individual one can be used
for your signing things.  That is technically not needed for releases, since the ASF process
uses external signatures employing registered public keys of the committers who (counter-)sign
the artifacts.
> For Authenticode signatures which are embedded in the artifacts themselves (as you may
have done), there needs to be a certificate for Apache OpenOffice, not for you or I or any
other committer.  There has to be very strong control of that private key and its use in signings
to protect against it being used in signing counterfeit binaries, especially for malicious
software.  (Microsoft just revoked a CA because of a vulnerability that allowed just that
kind of thing.)
> If the ASF were a CA, they could issue the key pair for Apache OpenOffice (still subject
to all of the safeguards required) as well as ones for other projects.  This also means they
would be individually revocable if that became necessary.  This avoids requiring the Secretary
of the Foundation or some other official representative to obtain Authenticode certificates
for individual projects.  (Note: There could be a single ASF certificate used for all projects,
but it makes governance even trickier and revocation becomes super-painful.)
>  - Dennis
> -----Original Message-----
> From: Jürgen Schmidt [mailto:jogischmidt@googlemail.com] 
> Sent: Wednesday, June 13, 2012 09:11
> To: infrastructure-dev@apache.org
> Subject: Re: Official code signing certificate
> On 6/13/12 5:37 PM, Dennis E. Hamilton wrote:
> > I expect Jürgen will address the time-value of resolving this. 
> yes I will send a short note to infrastructure-private
>  I want to comment on the general request.
> [ ... ]
> > 
> > One avenue to explore is having ASF become a Certificate Authority (CA) for issuing
Authenticode certificates, Java certificates, etc.  Since it is technically ASF that is the
legal entity and the one that needs to carry out whatever is required to protect private keys,
being able to issue them (and revoke them) for individual projects might be expedient and
far more efficient.  The integrity of the signing procedure and the protection of the private
keys are unavoidably a matter for ASF concern and attention.
> [ ... ]
> Thanks Dennis for explaining it.
> In the past we used a certificate "Personal Information Exchange" pfx
> file + related password during the build and packing process to sign the
> different artifatcs that have to be signed. I don't know yet all the
> details and doing currently some analysis how the process worked.
> But it seem that pfx files can be an approach to manage the certificates
> at least for code signing.
> I will provide more information asap.
> Juergen
> >  - Dennis
> > 
> > -----Original Message-----
> > From: Tony Stevenson [mailto:pctony@apache.org] 
> > Sent: Wednesday, June 13, 2012 01:40
> > To: infrastructure-dev@apache.org
> > Subject: Re: Official code signing certificate
> > 
> > Jürgen Schmidt wrote on Wed, Jun 13, 2012 at 09:52:13AM +0200:
> >> On 6/11/12 4:03 PM, Jürgen Schmidt wrote:
> >>> Hi,
> >>>
> >>> I would like to ask what step are necessary to get an official Apache
> >>> code signing certificate.
> >>>
> >>> We would need such a certificate to sign our Apache OpenOffie binary
> >>> releases and make them trusted in the windows world with Apache as
> >>> publisher.
> >>>
> >>> Note: 87% of our >3000000 downloads of AOO 3.4 are from Windows
> >>>
> >>> Especially with the upcoming Windows 8 app store this becomes even more
> >>> important.
> >>>
> >>> We had signed our releases ion the past and we have some tooling in
> >>> place in our build process. The details course have to be figured out
> >>> but that should be hopefully a minor problem.
> >>>
> >>> The questions are
> >>> 1. how can we get an official valid Apache code signing certificate
> >>> 1.1 which steps are necessary because it is not for free
> >>>
> >>> 2. how can we use it in our build process or better how can we make it
> >>> useable for a limited group of users (I would say at least 3 PMC members
> >>> to have enough fall backs) to sign the final releases.
> >>>
> >>> Any feedback or hint how to address this is correctly are welcome.
> >>
> >> Because the fact that it is potentially time critical (details can I
> >> provide via private email on demand) does any body have some information
> >> for me?
> > 
> > Juergen, 
> > 
> > We do not currently have a mechanism in place to offer this.  Several people have
started conversations, but nothing has ever come of it.  If it was this critical perhaps it
should have been mentioned earlier, ideally on the incubator proposal. 
> > 
> > First up is the cost with purchasing these certs, we would almost certainly need
at least one cert per PMC, and AOO would likely need to share one with other podlings.  We
would then need to setup a corporate account and issue/manage them ourselves.  None of which
we have, nor were any of these budgeted for. 
> > 
> > This is not a 'No you cant have it' - but it is a 'we dont have it yet, and we'd
need to do it'.  With that in mind you may want to give us any details you have.  If they
are private, please use  infrastructure-private@  if they are hyper-sensitive, or security
related please use root@ 
> > 
> > 
> > 
> > 
> > 
> >>
> >> Juergen
> >>
> > 



Tony Stevenson

tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66

View raw message