www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Schmidt <jogischm...@googlemail.com>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Wed, 27 Jun 2012 16:11:23 GMT
On 6/27/12 2:49 PM, Dean Coclin wrote:
> Yes, we are still the correct people.
> 

Hi Dean,

sorry for jumping in but I hope that a short question is allowed.

I am currently investigating in a reliable code signing process for
Apache OpenOffice (AOO) to become a good citizen in the Windows world
and especially the upcoming Windows 8.

AOO is bigger and we have to sign a lot of *.dll and *.exe during the
build, package the files in an msi/setup etc., sign the final setup bits
and finally sign a downloadable self extracting exe.

Because of the huge size and the many many files I believe that it makes
most sense to have a certificate on a dedicated build machine.

But anyway whatever process in the end is working and possible, I would
like to ask if it is possible to get some kind of test certificate to
improve our testing.

My self signed certificate created with makecert is 1024 bit only and I
have read that a code signing cert have to be at least 2024 bits. I
don't know if that makes a difference in the Windows 8 App Certification
Kit.

I think AOO with currently >6million downloads (since May 8th) can be a
good promotion for Symantec when people notice where the certificate
comes from.

Juergen


> Dean
> 
> -----Original Message-----
> From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net]
> Sent: Tuesday, June 26, 2012 5:38 PM
> To: Richard Hall; Dean Coclin; Tony Stevenson (Apache)
> Cc: infrastructure-dev@apache.org; Sam Ruby
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
> 
> On 6/25/2012 5:33 PM, William A. Rowe Jr. wrote:
>> Since the subject of signing packages has reappeared, I'd ask the
>> infra team and those RM's looking to sign bits to review this proposal once 
>> again.
>>
>>> One major step would be for Sam, who is both our Legal VP and Infra
>>> VP, to review the actual agreement/paperwork in detail and determine
>>> that it would be something we are able to sign.  Dean, could you
>>> forward that to Sam, even as we all learn more about the service and
>>> come to a decision of whether we should adopt it or not?
>>>
>>> Dean and Richard are happy to answer any questions, here's one that
>>> we started during a brief introductory call.  They are just coming up
>>> to speed about how we handle our infrastructure through mailing
>>> lists, so be nice, and please remember reply-to-all if you want them
>>> to respond!
> 
> Dean, Richard,
> 
> are you still the best contacts to speak to about the logistics of setting up 
> the ASF with the Symantec's code signing service?  Tony (cc'ed) would like to 
> directly discuss the particulars with you on behalf of the ASF Infrastructure 
> team.
> 
> Warmly,
> 
> Bill
> 



Mime
View raw message