www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Official code signing certificate
Date Fri, 12 Apr 2013 15:57:49 GMT
> On Fri, Mar 22, 2013 at 06:57:13PM +0200, Daniel Shahaf wrote:
> > How about only signing with the real certificate once three PMC
> > members PGP-signed the
> > binaries-built-against-the-self-signed-certificate.

As an RM and PMC member, I will never apply my PGP key to a binary
artifact where I was not completely in control of both verifying
the legitimacy of the sources (e.g. an approved tarball) and the
associated build environment.  I have no way to inspect project
member Jay's binaries so I have no basis on which to sign them.
I *can* sign Jay's key because I trust him, but only Jay who had
built the binaries can attest to their validity.  And if it turns
out I mistrusted Jay, I can revoke my sig, but if it turns out
I mistrusted Jay's binary I may be forced into a position of revoking 
my own signing key as well.

On Tue, 26 Mar 2013 19:58:41 +0000
Daniel Shahaf <danielsh@apache.org> wrote:

> Note that after the binaries-signed-with-the-real-certificate are
> built, they ould have to be PGP-signed _again_ before they can be
> distributed.

Very true, I never expected anything different.  For example, if you
want to validate your mirror copy on linux, using MS Authenticode
sigs would be unacceptably challenging.

View raw message