www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: Official code signing certificate
Date Thu, 14 Jun 2012 08:57:35 GMT
On 6/13/12 10:35 PM, Sam Ruby wrote:
> On Wed, Jun 13, 2012 at 3:52 AM, Jürgen Schmidt
> <jogischmidt@googlemail.com> wrote:
>>>
>>> The questions are
>>> 1. how can we get an official valid Apache code signing certificate
>>> 1.1 which steps are necessary because it is not for free
>>>
>>> 2. how can we use it in our build process or better how can we make it
>>> useable for a limited group of users (I would say at least 3 PMC members
>>> to have enough fall backs) to sign the final releases.
> 
> Before spending any more time on this, Jürgen would it be possible for
> you to find answers to this outside of an ASF context?  Specifically,
> is there somebody who knows how to get such a certificate and what it
> would cost, and what it would take to use it?
> 
> Note: the final solution may not be that it is PMC members that are
> the ones doing the signing.

many emails over night and many speculation how easy or complicate it
would be to do the signing in a reliable build process without too much
manual work.

As I mentioned we did code signing before and we did it during our build
process. Only few people at Sun/Oracle had access to the certificate
private data.

I m trying to figure out how exactly the technical process worked with a
test certificate and based on this information it will be potentially
easier to define a possible workflow.

I will come back with further information.

Juergen

Site note: AOO binaries are essential for our broader user base, they
are not interested in source releases and they are not able to build an
office on their own. Keep in mind that AOO is an end user oriented
application. It's a new kind of application here at Apache but the
number of downloads are telling enough about it.




Mime
View raw message