www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Official code signing certificate
Date Mon, 25 Mar 2013 22:57:49 GMT
Rob Weir wrote on Mon, Mar 25, 2013 at 12:06:13 -0400:
> On Fri, Mar 22, 2013 at 12:57 PM, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > Rob Weir wrote on Fri, Mar 22, 2013 at 10:44:45 -0400:
> >> So from a process view, we might want to have routine builds be signed
> >> with a placeholder test certificate (essentially self-signed) and this
> >> test certificate is in SVN.    The real signing certificate would only
> >> be applied on Release Candidates and with additional safeguards.
> >> Maybe the request needs to come from the PMC Chair or the Release
> >> Manager?  Or some time must elapse between the date of the SVN
> >> revision and the signing?
> >>
> >
> > How about only signing with the real certificate once three PMC members
> > PGP-signed the binaries-built-against-the-self-signed-certificate.
> >
> 
> I like the idea of having multiple PMC members attest to the RC, by
> signing or whatever.  But we still would need to tie that back to a
> SVN revision number somehow.   In other words, how we do prove the
> revision number that was used to build the RC?
> 
> Perhaps the flow is like this:
> 
> 1) RC built by buildbot and that records the SVN revision.
> 
> 2) Three PMC members sign the RC
> 
> 3) Comparison of the MD5 hashes for the signed RC and the buildbot
> output confirms the revision that was used.
> 

As an aside, I'd use a stronger hash algorithm than md5 here.

Daniel

> 4) Infra then releases the signing cert for use by buildbot automation
> to rebuild the same revision

Mime
View raw message