www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Schmidt <jogischm...@gmail.com>
Subject Re: Official code signing certificate
Date Fri, 12 Apr 2013 11:32:20 GMT
On 3/26/13 8:58 PM, Daniel Shahaf wrote:
> On Fri, Mar 22, 2013 at 06:57:13PM +0200, Daniel Shahaf wrote:
>> How about only signing with the real certificate once three PMC members
>> PGP-signed the binaries-built-against-the-self-signed-certificate.
> 
> Note that after the binaries-signed-with-the-real-certificate are built, they
> ould have to be PGP-signed _again_ before they can be distributed.
> 
> That's because infra has tools and policies around signing that assume PGP, and
> we won't be changing them to suit N different ideas by M different PMCs.
> 
adding pgp signature at the final step should be possible, we have to
validate the builds anyway.

How we can we move forward? I would like suggest that we copy a Windows
build bot VM and start working on a real scenario.

1. preparing the AOO build env to sign all necessary files and bits and
use a test certificate (provided by the AOO PMC)

2. the test certificate is installed on the test VM

3. we define and work on a process to communicate which revision should
be used for the build and how the build is triggered. How the results
are provided etc.

I believe we have to start working on it now and have to figure out what
works best in a practical scenario.

What does other think about it?

Juergen


Mime
View raw message