www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Official code signing certificate
Date Mon, 25 Jun 2012 22:27:33 GMT
On 6/23/2012 4:40 PM, Sam Ruby wrote:
> On Sat, Jun 23, 2012 at 5:33 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
>> If we now have 5-7 projects looking for code signing, I'd suggest it is time
>> for Sam as VP infra, or his delegate, to re-approach the Symantec team and
>> find out the terms and conditions on their code signing service and the
>> cost.  Have a couple infra team members act as admins.  As I may be signing
>> objects I would prefer not to also be an admin, but would serve if pressed.
> I've already stated that I'm willing to authorize the purchase of an
> ASF certificate should we need one.

Reiterating two options;

 1. Obtain an ASF code signing organization cert.  Build a service to automate
    the submission for signing in an audit-able and automated manner.  Unsigned
    blobs from svn in, signed blobs committed back to subversion for the project
    to then package or deploy.  Complete transparency over who submitted what
    binary bits.  A malicious or unintentionally viral package signature cannot
    be withdrawn.  We have an offer for such a cert, free, from Symantec.

 2. Sign up for the Symantec Code Signing service.  Several current infra root
    folks gain admin rights to create accounts for release managers.  RM's send
    up unsigned bits, get back signed bits.  Each binary has it's own unique
    cert which can be later invalidated due to malicious or unintentionally
    viral package contents.  We have an offer for such a service, free, from

Reinventing the wheel seems so foolish now that Symantec went from initially
discussing prices for option 2 to telling us we would be invited to use that
service for free.


View raw message