www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 19 Jul 2012 22:12:31 GMT

On Jul 19, 2012, at 11:16 AM, Om wrote:

> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Richard_Hall@symantec.com> wrote:
> Hi Dave,
> 
> Our hosted signing service does not currently provide the ability to sign Air applications,
but we do offer Code Signing certs for Adobe Air from our website:
> 
> http://www.symantec.com/verisign/code-signing/adobe-air
> 
> Would this work for you?  Please let us know if you have any questions.
> 
> Thanks,
> 
> Rich
> 
> 
> Rich,
> 
> This would work perfectly fine for us.  

Om,

And now the question is for the Apache Infrastructure team. Assuming that an apache.org certificate
for signing AIr applications is purchased The ASF how will it be handled? And that is the
other thread.

Thanks,
Dave

> 
> Thanks,
> Om
> Apache Flex PPMC Member
>  
> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
> 
> 
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
> 
> > Richard, Dean, can you provide any insight? I just reviewed the infra-dev
> > list history... if I missed your earlier reply I apologize in advance.
> 
> Gentlemen,
> 
> The Apache Flex podling would like to sign AIR applications as well:
> 
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> 
> Thanks for your consideration,
> Dave
> 
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, J├╝rgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in any
> >> case for reasons already spelled out on the list.  As I was designing the
> >> svn <-> signing service, I was actually laying it out that I myself would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign all
> >> the individual bits in that package, and refold it back into a .cab (and
> >> nested back into the .msi, which is then itself signed).  The same could
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) and
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an organization having
> >> OU subordinate keys?  E.g. "O=Apache Software Foundation,OU=Apache Open Office"
> >> individual or department keys?  Last I understood, only a single org code
> >> signing cert would be made available.  We have approx 12 RM's at the ASF today
> >> would would like to begin signing packages, if one key/cert can be tied into
one
> >> individual committer.  Or (in this case) can "O=Apache Open Office" be its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I would
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides for batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes).  If you believe the US NIST, 2048 is going to hold us till 2030,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .msi
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be
a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message