www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Official code signing certificate
Date Wed, 13 Jun 2012 08:40:26 GMT
Jürgen Schmidt wrote on Wed, Jun 13, 2012 at 09:52:13AM +0200:
> On 6/11/12 4:03 PM, Jürgen Schmidt wrote:
> > Hi,
> > 
> > I would like to ask what step are necessary to get an official Apache
> > code signing certificate.
> > 
> > We would need such a certificate to sign our Apache OpenOffie binary
> > releases and make them trusted in the windows world with Apache as
> > publisher.
> > 
> > Note: 87% of our >3000000 downloads of AOO 3.4 are from Windows
> > 
> > Especially with the upcoming Windows 8 app store this becomes even more
> > important.
> > 
> > We had signed our releases ion the past and we have some tooling in
> > place in our build process. The details course have to be figured out
> > but that should be hopefully a minor problem.
> > 
> > The questions are
> > 1. how can we get an official valid Apache code signing certificate
> > 1.1 which steps are necessary because it is not for free
> > 
> > 2. how can we use it in our build process or better how can we make it
> > useable for a limited group of users (I would say at least 3 PMC members
> > to have enough fall backs) to sign the final releases.
> > 
> > Any feedback or hint how to address this is correctly are welcome.
> Because the fact that it is potentially time critical (details can I
> provide via private email on demand) does any body have some information
> for me?


We do not currently have a mechanism in place to offer this.  Several people have started
conversations, but nothing has ever come of it.  If it was this critical perhaps it should
have been mentioned earlier, ideally on the incubator proposal. 

First up is the cost with purchasing these certs, we would almost certainly need at least
one cert per PMC, and AOO would likely need to share one with other podlings.  We would then
need to setup a corporate account and issue/manage them ourselves.  None of which we have,
nor were any of these budgeted for. 

This is not a 'No you cant have it' - but it is a 'we dont have it yet, and we'd need to do
it'.  With that in mind you may want to give us any details you have.  If they are private,
please use  infrastructure-private@  if they are hyper-sensitive, or security related please
use root@ 

> Juergen



Tony Stevenson

tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66

View raw message