www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Official code signing certificate
Date Mon, 25 Jun 2012 14:26:18 GMT
HI Jürgen,

On Jun 25, 2012, at 1:09 AM, Jürgen Schmidt wrote:

> On 6/24/12 5:08 AM, Dave Fisher wrote:
>> 
>> On Jun 14, 2012, at 1:57 AM, Jürgen Schmidt wrote:
>> 
>>> On 6/13/12 10:35 PM, Sam Ruby wrote:
>>>> On Wed, Jun 13, 2012 at 3:52 AM, Jürgen Schmidt
>>>> <jogischmidt@googlemail.com> wrote:
>>>>>> 
>>>>>> The questions are
>>>>>> 1. how can we get an official valid Apache code signing certificate
>>>>>> 1.1 which steps are necessary because it is not for free
>>>>>> 
>>>>>> 2. how can we use it in our build process or better how can we make
it
>>>>>> useable for a limited group of users (I would say at least 3 PMC
members
>>>>>> to have enough fall backs) to sign the final releases.
>>>> 
>>>> Before spending any more time on this, Jürgen would it be possible for
>>>> you to find answers to this outside of an ASF context?  Specifically,
>>>> is there somebody who knows how to get such a certificate and what it
>>>> would cost, and what it would take to use it?
>>>> 
>>>> Note: the final solution may not be that it is PMC members that are
>>>> the ones doing the signing.
>>> 

Considering this important likely fact.

<snip>

>>> I will come back with further information.
>>> 
>>> Juergen
>>> 
>>> Site note: AOO binaries are essential for our broader user base, they
>>> are not interested in source releases and they are not able to build an
>>> office on their own. Keep in mind that AOO is an end user oriented
>>> application. It's a new kind of application here at Apache but the
>>> number of downloads are telling enough about it.
>> 
>> AOO does have buildbots in place. Certainly these can be adapted to add the correct
"signtool.exe" commands at the correct locations in the build. At least that's how it worked
for an Excel Add-in that my team at work produced in VisualStudio 2008 a few years ago. Execution
of that step could somehow take into account whether or not an Apache Infra contractor was
initiating this cycle of the build. In other cases for "non-offical" builds certificates with
less authority could be used.
>> 
> 
> we had a signing process in place that can be triggered during the build
> process to sign *.dlls, *.exe etc. and a post built step to sign the
> final setup.
> 
> As I have mentioned on our ooo-dev list I was able to create a first
> signed build of AOO with my self signed test certificate.
> 
> The process used a Personal Information Exchange file (pfx) of the cert
> + a passcode. In case of AOO I have to do some further tests.

Sure thing. As evidenced by the other parts of this thread. It is likely that the final application
of an ASF certificate will be during a build by an Infrastructure contractor.

Is there any reason not to think that a Windows buildbot will work for building a signed release?

Regards,
Dave

> 
> Juergen
> 
> 
> 
>> Regards,
>> Dave
>> 
>> 
>>> 
>>> 
>>> 
>> 
> 
> 


Mime
View raw message