www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Official code signing certificate
Date Tue, 26 Jun 2012 07:13:26 GMT
William A. Rowe Jr. wrote on Mon, Jun 25, 2012 at 05:27:33PM -0500:
> On 6/23/2012 4:40 PM, Sam Ruby wrote:
> > On Sat, Jun 23, 2012 at 5:33 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> >>
> >> If we now have 5-7 projects looking for code signing, I'd suggest it is time
> >> for Sam as VP infra, or his delegate, to re-approach the Symantec team and
> >> find out the terms and conditions on their code signing service and the
> >> cost.  Have a couple infra team members act as admins.  As I may be signing
> >> objects I would prefer not to also be an admin, but would serve if pressed.
> > 
> > I've already stated that I'm willing to authorize the purchase of an
> > ASF certificate should we need one.
> 
> Reiterating two options;
> 
>  1. Obtain an ASF code signing organization cert.  Build a service to automate
>     the submission for signing in an audit-able and automated manner.  Unsigned
>     blobs from svn in, signed blobs committed back to subversion for the project
>     to then package or deploy.  Complete transparency over who submitted what
>     binary bits.  A malicious or unintentionally viral package signature cannot
>     be withdrawn.  We have an offer for such a cert, free, from Symantec.
> 
>  2. Sign up for the Symantec Code Signing service.  Several current infra root
>     folks gain admin rights to create accounts for release managers.  RM's send
>     up unsigned bits, get back signed bits.  Each binary has it's own unique
>     cert which can be later invalidated due to malicious or unintentionally
>     viral package contents.  We have an offer for such a service, free, from
>     Symantec.
> 
> Reinventing the wheel seems so foolish now that Symantec went from initially
> discussing prices for option 2 to telling us we would be invited to use that
> service for free.

Bill do you think you could loop me in with a said Symantec employee who
can posisble help so I can progress this avenue while at the same time
letting the peanut gallery do it's thing?  

Direct with me via my ASF mail address for now is fine, then I can loop
in infra-(dev|private) as required. 

> Bill

-- 

Cheers,
Tony

---------------------------------------------------------------
Tony Stevenson

tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66
http://blog.pc-tony.com
---------------------------------------------------------------


Mime
View raw message