www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Mon, 25 Jun 2012 22:33:06 GMT
Since the subject of signing packages has reappeared, I'd ask the infra team
and those RM's looking to sign bits to review this proposal once again.

Given that a sig can be invalidated after the fact, the attached discussion
is probably moot - simply sign the bits for the release candidate, and if
rev 1.1.x isn't approved, sign the next rev 1.1.x+1 package and invalidate
the original signature on 1.1.x binaries.  That should work, shouldn't it?

On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> On the subject of signing jars, Windows binaries and .msi installer
> packages, it seems that infra-dev is partial to the ability to revoke
> package signatures if an artifact is not released or is found to have
> been corrupted, and that the code signing service from Symantec /
> VeriSign / Thawte is the way to go here.
> I spoke with Richard and Dean who confirmed that this service would
> be offered at no cost to the ASF.  User accounts would be as one of two
> roles, an administrator (root-ish) level and a publisher (committer)
> who needs to sign packages.  There is no integration at present for
> PAM style authentication into our ldap, or SSO solution in this
> specific service so we would have to create accounts for each committer
> who is doing signed binary releases.
> It is batch-able and can be automated.  Obviously there is some work
> around setting up that functionality, but it can run on the signers
> own PC as opposed to a central repository.  Here's a background paper
> on the code signing portal itself;
> http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
> It is due a major revision entering(or already in?) beta.  That version
> introduces support for .jar signing in addition to Win binary/msi signing.
> I asked  and they are researching whether Apache could be invited to
> participate in the beta, since we would only just be getting up to speed
> by the time that portal version launches.
> One major step would be for Sam, who is both our Legal VP and Infra VP,
> to review the actual agreement/paperwork in detail and determine that
> it would be something we are able to sign.  Dean, could you forward that
> to Sam, even as we all learn more about the service and come to a decision
> of whether we should adopt it or not?
> Dean and Richard are happy to answer any questions, here's one that
> we started during a brief introductory call.  They are just coming
> up to speed about how we handle our infrastructure through mailing
> lists, so be nice, and please remember reply-to-all if you want them
> to respond!
>  Q. Support for JavaScript signing for frameworks like ajax?
> On 12/5/2011 11:21 AM, Richard Hall wrote:
>> I looked into the java script signing that you had asked about and it's not something
that we currently do (although not to say that we couldn't do it).  Is this something that
you're doing today, and if so, what sign tool are you using (jar signer, Microsoft's sign
tool, etc.).  It's our understanding that even if we provide signing for java scripts that
there is currently no way to validate this in any existing infrastructure (browsers, etc.)
unless you've implemented your our own way of doing this.
>> Thanks for any additional input you can provide.

View raw message