www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: Official code signing certificate
Date Wed, 13 Jun 2012 16:11:21 GMT
On 6/13/12 5:37 PM, Dennis E. Hamilton wrote:
> I expect Jürgen will address the time-value of resolving this. 

yes I will send a short note to infrastructure-private

 I want to comment on the general request.
> 
> It is generally the case that having binary distributions that can be certified for a
particular version of Windows (including the forthcoming Windows 8), the binaries must be
signed with Authenticode signatures.  This applies to everything that is installed/registered
with the system (DLLs, etc.) and the distribution package itself (typically, an MSI or an
EXE that installs and runs an MSI).  Previously, this was provided by Oracle in the signing
of the OpenOffice.org Windows binary distributions that were created under Oracle auspices.
> 
> Because the obtaining of a key pair for the PKI that is used is expensive and requires
vetting of the organization that the key pair is issued to, there is a problem with having
them for individual projects.    There is also, as already understood in other discussions
on this issue, a problem about protection of the private key and how that private key becomes
applied in the signing of Windows binaries that accompany an Apache Release.
> 
> One avenue to explore is having ASF become a Certificate Authority (CA) for issuing Authenticode
certificates, Java certificates, etc.  Since it is technically ASF that is the legal entity
and the one that needs to carry out whatever is required to protect private keys, being able
to issue them (and revoke them) for individual projects might be expedient and far more efficient.
 The integrity of the signing procedure and the protection of the private keys are unavoidably
a matter for ASF concern and attention.
> 
> It is also necessary to address the need for infrastructure support of the release management
process so that code is signed at an appropriate point in the establishment of release artifacts
for release review and approval.  I'm assuming that the code signing has to happen at essentially
by the same time as the signing that is done now by PMC committers and release managers to
lock down the complete set of release artifacts and ensure their integrity from then on. 
I don't have enough understanding to be helpful with that part.  It has to be addressed in
any solution involving Authenticode and the Java equivalent for signing artifacts, though,
along with the additional problem of secure custody and authorized use of the private keys
used in such signing. 
> 

Thanks Dennis for explaining it.

In the past we used a certificate "Personal Information Exchange" pfx
file + related password during the build and packing process to sign the
different artifatcs that have to be signed. I don't know yet all the
details and doing currently some analysis how the process worked.

But it seem that pfx files can be an approach to manage the certificates
at least for code signing.

I will provide more information asap.

Juergen




>  - Dennis
> 
> -----Original Message-----
> From: Tony Stevenson [mailto:pctony@apache.org] 
> Sent: Wednesday, June 13, 2012 01:40
> To: infrastructure-dev@apache.org
> Subject: Re: Official code signing certificate
> 
> Jürgen Schmidt wrote on Wed, Jun 13, 2012 at 09:52:13AM +0200:
>> On 6/11/12 4:03 PM, Jürgen Schmidt wrote:
>>> Hi,
>>>
>>> I would like to ask what step are necessary to get an official Apache
>>> code signing certificate.
>>>
>>> We would need such a certificate to sign our Apache OpenOffie binary
>>> releases and make them trusted in the windows world with Apache as
>>> publisher.
>>>
>>> Note: 87% of our >3000000 downloads of AOO 3.4 are from Windows
>>>
>>> Especially with the upcoming Windows 8 app store this becomes even more
>>> important.
>>>
>>> We had signed our releases ion the past and we have some tooling in
>>> place in our build process. The details course have to be figured out
>>> but that should be hopefully a minor problem.
>>>
>>> The questions are
>>> 1. how can we get an official valid Apache code signing certificate
>>> 1.1 which steps are necessary because it is not for free
>>>
>>> 2. how can we use it in our build process or better how can we make it
>>> useable for a limited group of users (I would say at least 3 PMC members
>>> to have enough fall backs) to sign the final releases.
>>>
>>> Any feedback or hint how to address this is correctly are welcome.
>>
>> Because the fact that it is potentially time critical (details can I
>> provide via private email on demand) does any body have some information
>> for me?
> 
> Juergen, 
> 
> We do not currently have a mechanism in place to offer this.  Several people have started
conversations, but nothing has ever come of it.  If it was this critical perhaps it should
have been mentioned earlier, ideally on the incubator proposal. 
> 
> First up is the cost with purchasing these certs, we would almost certainly need at least
one cert per PMC, and AOO would likely need to share one with other podlings.  We would then
need to setup a corporate account and issue/manage them ourselves.  None of which we have,
nor were any of these budgeted for. 
> 
> This is not a 'No you cant have it' - but it is a 'we dont have it yet, and we'd need
to do it'.  With that in mind you may want to give us any details you have.  If they are private,
please use  infrastructure-private@  if they are hyper-sensitive, or security related please
use root@ 
> 
> 
> 
> 
> 
>>
>> Juergen
>>
> 



Mime
View raw message