www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Official code signing certificate
Date Sat, 23 Jun 2012 22:03:58 GMT
On Sat, Jun 23, 2012 at 5:40 PM, Sam Ruby <rubys@intertwingly.net> wrote:
> On Sat, Jun 23, 2012 at 5:33 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
>>
>> If we now have 5-7 projects looking for code signing, I'd suggest it is time
>> for Sam as VP infra, or his delegate, to re-approach the Symantec team and
>> find out the terms and conditions on their code signing service and the
>> cost.  Have a couple infra team members act as admins.  As I may be signing
>> objects I would prefer not to also be an admin, but would serve if pressed.
>
> I've already stated that I'm willing to authorize the purchase of an
> ASF certificate should we need one.
>
> Meanwhile, I've affirmed what Roy stated previously: the ASF
> Infrastructure team will not sign binaries that were not produced
> under conditions that they can fully audit or control.
>

I agree with you 100% that having an ASF-wide certificate shared with
PMC's would be asking for trouble.  So don't do it.  But that doesn't
mean the only alternative is to have Infra do all the signing itself.
 Why not have project-level certificates?  Looking a the Verisign sign
up for Authenticode certs, they have a field to specify a "company" as
well as "division".

Does something bad happen if a binary is signed by "Apache Foo
Project" ?  Isn't that win-win?  No extra work for Infra.  No risk of
losing control of a single master cert for all of the ASF.     It puts
control of the cert with those who build, review and approve the
releases.

-Rob

> - Sam Ruby

Mime
View raw message