www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: Official code signing certificate
Date Mon, 25 Jun 2012 15:15:58 GMT
On 6/25/12 4:26 PM, Dave Fisher wrote:
> HI Jürgen,
> 
> On Jun 25, 2012, at 1:09 AM, Jürgen Schmidt wrote:
> 
>> On 6/24/12 5:08 AM, Dave Fisher wrote:
>>>
>>> On Jun 14, 2012, at 1:57 AM, Jürgen Schmidt wrote:
>>>
>>>> On 6/13/12 10:35 PM, Sam Ruby wrote:
>>>>> On Wed, Jun 13, 2012 at 3:52 AM, Jürgen Schmidt
>>>>> <jogischmidt@googlemail.com> wrote:
>>>>>>>
>>>>>>> The questions are
>>>>>>> 1. how can we get an official valid Apache code signing certificate
>>>>>>> 1.1 which steps are necessary because it is not for free
>>>>>>>
>>>>>>> 2. how can we use it in our build process or better how can we
make it
>>>>>>> useable for a limited group of users (I would say at least 3
PMC members
>>>>>>> to have enough fall backs) to sign the final releases.
>>>>>
>>>>> Before spending any more time on this, Jürgen would it be possible for
>>>>> you to find answers to this outside of an ASF context?  Specifically,
>>>>> is there somebody who knows how to get such a certificate and what it
>>>>> would cost, and what it would take to use it?
>>>>>
>>>>> Note: the final solution may not be that it is PMC members that are
>>>>> the ones doing the signing.
>>>>
> 
> Considering this important likely fact.
> 
> <snip>
> 
>>>> I will come back with further information.
>>>>
>>>> Juergen
>>>>
>>>> Site note: AOO binaries are essential for our broader user base, they
>>>> are not interested in source releases and they are not able to build an
>>>> office on their own. Keep in mind that AOO is an end user oriented
>>>> application. It's a new kind of application here at Apache but the
>>>> number of downloads are telling enough about it.
>>>
>>> AOO does have buildbots in place. Certainly these can be adapted to add the correct
"signtool.exe" commands at the correct locations in the build. At least that's how it worked
for an Excel Add-in that my team at work produced in VisualStudio 2008 a few years ago. Execution
of that step could somehow take into account whether or not an Apache Infra contractor was
initiating this cycle of the build. In other cases for "non-offical" builds certificates with
less authority could be used.
>>>
>>
>> we had a signing process in place that can be triggered during the build
>> process to sign *.dlls, *.exe etc. and a post built step to sign the
>> final setup.
>>
>> As I have mentioned on our ooo-dev list I was able to create a first
>> signed build of AOO with my self signed test certificate.
>>
>> The process used a Personal Information Exchange file (pfx) of the cert
>> + a passcode. In case of AOO I have to do some further tests.
> 
> Sure thing. As evidenced by the other parts of this thread. It is likely that the final
application of an ASF certificate will be during a build by an Infrastructure contractor.
> 
> Is there any reason not to think that a Windows buildbot will work for building a signed
release?
> 

I started to understand how the process worked in the past and if the
result fulfill our requirements. I can think of a secure build bot
machine where the cert is installed and the signtool is called with
different options, sure. Needs further and deeper investigation.

I think it is important that the PMC's can trigger it easy and that the
whole process doesn't include too much work by infra people. And that is
secure.

Juergen


> Regards,
> Dave
> 
>>
>> Juergen
>>
>>
>>
>>> Regards,
>>> Dave
>>>
>>>
>>>>
>>>>
>>>>
>>>
>>
>>
> 



Mime
View raw message