www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Official code signing certificate
Date Fri, 12 Apr 2013 15:20:19 GMT
On Thu, 21 Mar 2013 08:53:29 +0100
J├╝rgen Schmidt <jogischmidt@gmail.com> wrote:

> On 3/20/13 9:37 PM, Daniel Shahaf wrote:
> > 
> > - the script uses as input a certificate that only root@ has access
> > to
> > 
> > - root@ runs the script (against a specific tag and revision in
> > svn) and publishes the results
> 
> that is one way to handle it and from a security perspective the most
> secure one. But I would root describe to only a very small group of
> people with root access on the dedicated machine. This really depends
> on what infra prefers and other options can be also possible.

If this were a project cert or whatever, your 'small group' solution
might be feasible.  The cert *IS* ASF-wide, that is at least 10+
projects with 10+ individuals.  Root/Admin-only script is the only
feasible solution.  That is unless you want specific objects to be
signed by their own key, a solution offered to us, for free, by
Symantec's code signing service that we've chosen to ignore.

What is built, then?  A release tarball?  An svn tag?  Can it be
patched or modified?  How is it tracked which package is signed 
by which RM?

As an ASF-wide credential, having the core infra team as the sole
possessors of that key seems prudent.

> > So... what kind of certificate is that?  How much does it cost, what
> > kind of year to year maintenance it requires, etc.
> 
> for windows it is a
> "Code Signing Certificates for Microsoft Authenticode
> Digitally sign 32-bit or 64-bit user-mode
> (.exe, .cab, .dll, .ocx, .msi, .xpi, and .xap files) and kernel-mode
> software. Provider for Microsoft Windows Logo programs."
> 
> see [1] and [2]
> 
> [1]
> http://www.symantec.com/verisign/code-signing/microsoft-authenticode
> [2] overview http://www.symantec.com/code-signing
> 
> I found a price by Symantec of 499$/year (reduced prices for 2 or 3
> years) but there was already an opportunity that we can find a
> sponsor, potentially a provider of such certificates.

Sigh <wasting even more breath>... it's free.  See the archives.


Mime
View raw message