www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Official code signing certificate
Date Sun, 24 Jun 2012 03:08:58 GMT

On Jun 14, 2012, at 1:57 AM, Jürgen Schmidt wrote:

> On 6/13/12 10:35 PM, Sam Ruby wrote:
>> On Wed, Jun 13, 2012 at 3:52 AM, Jürgen Schmidt
>> <jogischmidt@googlemail.com> wrote:
>>>> The questions are
>>>> 1. how can we get an official valid Apache code signing certificate
>>>> 1.1 which steps are necessary because it is not for free
>>>> 2. how can we use it in our build process or better how can we make it
>>>> useable for a limited group of users (I would say at least 3 PMC members
>>>> to have enough fall backs) to sign the final releases.
>> Before spending any more time on this, Jürgen would it be possible for
>> you to find answers to this outside of an ASF context?  Specifically,
>> is there somebody who knows how to get such a certificate and what it
>> would cost, and what it would take to use it?
>> Note: the final solution may not be that it is PMC members that are
>> the ones doing the signing.
> many emails over night and many speculation how easy or complicate it
> would be to do the signing in a reliable build process without too much
> manual work.
> As I mentioned we did code signing before and we did it during our build
> process. Only few people at Sun/Oracle had access to the certificate
> private data.
> I m trying to figure out how exactly the technical process worked with a
> test certificate and based on this information it will be potentially
> easier to define a possible workflow.
> I will come back with further information.
> Juergen
> Site note: AOO binaries are essential for our broader user base, they
> are not interested in source releases and they are not able to build an
> office on their own. Keep in mind that AOO is an end user oriented
> application. It's a new kind of application here at Apache but the
> number of downloads are telling enough about it.

AOO does have buildbots in place. Certainly these can be adapted to add the correct "signtool.exe"
commands at the correct locations in the build. At least that's how it worked for an Excel
Add-in that my team at work produced in VisualStudio 2008 a few years ago. Execution of that
step could somehow take into account whether or not an Apache Infra contractor was initiating
this cycle of the build. In other cases for "non-offical" builds certificates with less authority
could be used.



View raw message