www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Deboy <scott.de...@gmail.com>
Subject Re: Official code signing certificate
Date Tue, 28 May 2013 23:36:34 GMT
I was asked to restate the request Logging Services has of Infra:\

Logging Services would like to provide infra with:
 - A Chainsaw release candidate vote thread providing a link to the
release candidate build/svn rev
 - Chainsaw's maven script supports Java code signing.  Infra has to
provide the script with info on the location of the code signing cert
and keys etc.

I don't believe it makes sense for Logging Services to try to describe
the process Infra should be using to get the artifacts signed...we
just need signed artifacts.  Infra understands their requirements
around security and workflow and we don't.  I personally believe the
service WRowe described may work fine for our simple needs, and I
would hope Infra would look into it.

I would like to request that Infra please tell me if they understand
the requirements I've described and provide a technical solution that
will meet our needs.

Thanks,

Scott


On 5/24/13, Scott Deboy <scott.deboy@gmail.com> wrote:
> Logging Services has a simple requirement:
>
> Have the Chainsaw build artifacts signed by a Java code signing cert
> that is signed by a trusted/root CA so the jars can be downloaded via
> WebStart without the user receiving a warning that the signed jars
> aren't trusted.
>
> The Chainsaw maven script supports signing jars - infra just needs to
> point it to the cert.
>
> I don't know whether or not an ASF-wide Java code signing cert makes
> sense or a Logging Services-specific Java code signing cert makes
> sense.  I don't even know if it is possible to have TLP-specific Java
> code signing certs.  I defer to infra on that decision.
>
> I believe the code signing service WRowe described will meet our
> requirements.  Hopefully infra can spend some time looking at the
> service and see how it can meet their requirements.
>
> Logging Services would like to be a guinea pig for the Java code
> signing service WRowe described above.  If there are additional
> details needed by infra, we are happy to provide them.
>
> Thanks,
>
> Scott
>
> On 4/12/13, sebb <sebbaz@gmail.com> wrote:
>> You are now in http://wiki.apache.org/general/ContributorsGroup
>>
>>
>> On 12 April 2013 17:32, William A. Rowe Jr. <wrowe@rowe-clan.net> wrote:
>>
>>> On Fri, 12 Apr 2013 10:47:29 -0500
>>> "William A. Rowe Jr." <wrowe@rowe-clan.net> wrote:
>>>
>>> > On Tue, 26 Mar 2013 00:56:06 +0200
>>> > Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
>>> >
>>> > > Can you write this all down somewhere?  A wiki page maybe
>>> >
>>> > http://wiki.apache.org/general/ASFCodeSigning
>>>
>>> Could one of the page editors please grant WilliamARoweJr some
>>> karma?  I'll document the first-draft approach and the Symantec
>>> service-based approach.
>>>
>>
>

Mime
View raw message