www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Official code signing certificate
Date Fri, 03 Aug 2012 13:24:22 GMT
Adding another one to the list:  With the MacOS Mountain Lion update,
code signing is now expected by default, by their "Gatekeeper"

Some possibly useful information on how Mozilla dealt with this in Firefox:


It sounds like in this case the certs come from Apple, not from a 3rd
party CA.  So a solution based on a Symantec coding signing service
would not help there.



On Wed, Jul 18, 2012 at 6:01 PM, Om <bigosmallm@gmail.com> wrote:
> I know that whatever process we will choose (if we choose one at all) it
>> will cause some work and I am willing to help where I can. But I am
>> really interested in bringing this forward and need some feedback or
>> opinions to continue.
> I was informed about this discussion on the flex-dev list and I thought I
> would jump in with my thoughts.  We are currently looking to create a
> similar set of installers packaged as AIR apps which needs to be signed in
> a very similar way described here.  The process of signing AIR apps is
> described here [1]
> [1]
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>> >>> I like Roy's outline better.  The AOO PPMC designs a build environment
>> >>> that can be verified and implemented by ASF contractors.  The AOO PPMC
>> >>> validates the output of that process before distribution.
>> >>>
>> >>> Tell me that can be done, or why that is not possible, or describe
>> >>> something better.
>> >>>
> The Apache Flex PPMC would be glad to help out with this process as well.
>> >> Proposal:
>> >> The proposal will be described by the example of AOO. But can be applied
>> >> on other projects who have demand for code signing as well!
>> >>
>> >> Set up a dedicated Windows build machine that has all the AOO build
>> >> requirements installed and AOO can be build like on a build bot. It can
>> >> be of course a special build bot. Only specific and authorized people
>> >> have access to this machine! I don't give comments if the machine is
>> >> accessible via network or not because this includes also some security
>> >> risks.
>> >>
>> >> When AOO plan to release a new version the project will request an
>> >> official build based on revision XY. The code version will be checked
>> >> out and build in the same way as on the build bots + some special
>> >> switches to enable code signing. The final bits will be verified by AOO
>> >> project members and as final step they will be signed by the release
>> >> manager as always (sha, asc, md5) and uploaded. Potentially several
>> >> iterations are necessary depending on the voting process on the RC's.
> The only thing I would add here is that we would also need a Mac build
> machine to create the same installer for Macs.  We have one code base that
> would get compiled into to the two different operating systems.
>> >>
>> >> #1
>> >> The certificate including the private key is installed on this machine
>> >> and any signing process can get access on the certificate.
>> >>
>> >> #2
>> >> The certificate is provided as a *.pfx file + pass code and is made
>> >> accessible to any signing process. The pfx file can be stored in a
>> >> secure place on this machine or on an external cryptographic device
>> >>
>> >>
> I prefer #2 because of the above mentioned Mac build requirement.
>> >> The information about the setup of such a dedicated Windows machine and
>> >> the AOO specific build requirements are documented and of course AOO
>> >> project members would help with the setup if they get temporary access
>> >> or would provide at least support.
> Again, the Flex project members would be glad to help out here as well.
>> >> I hope that is the information you are looking for.
>> >>
>> >>
>> >> Side note:
>> >> The other approach which is secure from my perspective as well is to
>> >> support project specific certificates and allow only a few trusted
>> >> people (e.g. release manager, project chair) access to the files.
>> >> Projects have to take care of their own dedicated build machines with
>> >> limited net access (to get the sources) for example.
>> >> It can be of course a mixed solution where projects with different
>> >> demand will be handled differently. A project where only a jar file have
>> >> to be signed can be handled of course different compared to AOO where we
>> >> have a complex multi step signing process with hundreds of files.
>> >>
>> >> I am looking forward to feedback.
>> >
>> > any opinions or general feedback?
> This approach should work for us as well.
> Right now, we are using a self-signed certificate to sign our installer
> (before the official release PGP signing).  The ant script finds the
> certificate and uses it appropriately.  All that remains to be done is use
> a real signed certificate from a trusted certificate authority.  The Apache
> Flex team would greatly appreciate it if we find a solution to this as soon
> as possible, so that we can use it for our upcoming first release.
> Thanks,
> Om
> Apache Flex PPMC Member

View raw message