www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Wed, 13 Jun 2012 22:05:38 GMT
I just saw Roy's follow-up and that makes more sense to me, as does this from Sam.  (My reaction
to Roy crossed in the mail.  I should be taking Sam's advice about waiting 24 hours, which
I shall now commence.)

I agree that there are important things to be investigated.

I personally have no qualms about the signing being done by a trusted party not on the PPMC
or PMC itself. 

There are practical ways to determine the authenticity of those artifacts (there are many
inside an individual installer binary) after that as part of agreeing that the artifacts are

I foresee a workflow that that would have the bits to be signed turned over to the third part
for signing and incorporation into a signed installer package.  It would be relatively easy
to confirm that the code-signed artifacts are indeed those that were submitted for code-signing.

If that would get the job done, I think there is an apparition of a workable solution before
us.  I think it remains for the AOO PPMC to circle back now.

 - Dennis

-----Original Message-----
From: sa3ruby@gmail.com [mailto:sa3ruby@gmail.com] On Behalf Of Sam Ruby
Sent: Wednesday, June 13, 2012 14:45
To: infrastructure-dev@apache.org; dennis.hamilton@acm.org
Subject: Re: Official code signing certificate

On Wed, Jun 13, 2012 at 5:18 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Thanks Tony,
> It is valuable to know that everyone's on the same page in a discussion such as this.

Just so we are on the same page: for context there was an unscheduled
outage today that affected quite a number of core infrastructure
services.  So while this request is an important one, the primary job
of the infrastructure contractors is keeping our machines up and

Meanwhile, there are important things that need to be investigated,
and not all of them need to be done by ASF infrastructure contractors.
 For example, as Roy suggests, is there a third party who would be
willing to do the signing, and would that be acceptable to the AOO

Furthermore, can the AOO PPMC make a proposal along the lines of Roy's
second email: "a secure build environment by which a person under
contract with the ASF can produce a binary artifact, and then a
process by which a distributed group of volunteers can adequately
verify the binaries that were built."?

> I think there are two matters that need to be dealt with beyond coming up with the funding,

If the price is as stated there: $499 US for one year for one
certificate, if it looks to me like there is promising work to address
the questions stated above, then I will authorize such a purchase.
Clearly should this all work out, we likely will want to have more
than one certificate for more than one year down the road, but we can
worry about that in the next budget cycle.

>  1. Designation of contacts and initial custody of the certificate.

The infrastructure team has other certificates that they manage.  My
initial take is that this is something that we will not hand out to
PMC members, but would be managed by our existing contractors.  If
that is not acceptable, please explain why.

>  2. Creation of some custody arrangement for the private key and a way to accomplish
the signing at an appropriate place in the development of signed artifacts that go into a
release.  Getting a certificate is easy, apart from the chain of custody and who keeps them
safe.  Structuring the setup of release artifacts so that the code is signed as needed is
the biggest speed bump that I see.

I like Roy's outline better.  The AOO PPMC designs a build environment
that can be verified and implemented by ASF contractors.  The AOO PPMC
validates the output of that process before distribution.

Tell me that can be done, or why that is not possible, or describe
something better.

>  - Dennis

- Sam Ruby

View raw message