www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond DeCampo <...@decampo.org>
Subject Re: Code signing
Date Tue, 23 Sep 2014 19:45:57 GMT
I'll see what I can glean from the WSDL

I have joined the mailing list

On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <markt@apache.org> wrote:

> On 23/09/2014 15:20, Mark Thomas wrote:
> > On 22/09/2014 21:39, Raymond DeCampo wrote:
> >> Mark,
> >>
> >> Do you have any documentation on the web service that is being used to
> >> sign the code?
> >
> > I do, but it was under an NDA. Symantec were going to relax that so we
> > could share the API information. Let me check where we are with that.
>
> Hmm. Symantec are happy that any code that interacts with the API is
> public but they haven't said we can share the API doc (to be fair I
> haven't asked).
>
> For now, the WSDL is public and can be obtained here:
> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>
> Is that enough or do you need more? If you have specific questions I can
> answer them.
>
> > Also, I'm moving this discussion to the appropriate list -
> > infrastructure-dev@apache.org. Please subscribe to that list.
>
> Let me know when you do, and I'll stop cc'ing you.
>
> Cheers,
>
> Mark
>
> >
> > Mark
> >
> >
> >>
> >> Thanks,
> >> Ray
> >>
> >> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
> >> <mailto:markt@apache.org>> wrote:
> >>
> >>     On 12/09/2014 19:34, Raymond DeCampo wrote:
> >>     > Mark,
> >>     >
> >>     > I haven't coded a maven plugin before but I am willing to figure
> it out
> >>     > as I have been looking for some way to contribute.
> >>     >
> >>     > Just dump me whatever information/code you have and I will take
> it from
> >>     > there.  Given you have an ANT plug in already working I don't
> anticipate
> >>     > it will be too difficult.
> >>
> >>     Thanks for the offer. Am I correct in thinking you aren't an Apache
> >>     Committer? Getting you access to the test instance in that case
> might be
> >>     a little tricky. We can cross that bridge when we come to it.
> >>
> >>     The Ant task is here:
> >>
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
> >>
> >>     It does have an issue in that it loads the Base64 of the zip of of
> the
> >>     files to be signed into memory. It would be much better if it was
> >>     streamed. If you fancy taking at a look at that first...
> >>
> >>     > Although, I did want to ask if ASF has any existing maven plugins
> so I
> >>     > can stay consistent with the established style.
> >>
> >>     This is going to be an infrastructure tool and we don't have any
> Maven
> >>     plugins I am aware of. To be perfectly honest I am far more
> concerned
> >>     about getting something working than style.
> >>
> >>     We should probably continue this on a list somewhere. Let me figure
> out
> >>     which one is best.
> >>
> >>     Mark
> >>
> >>
> >>     >
> >>     > Thanks,
> >>     > Ray
> >>     >
> >>     >
> >>     > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
> <mailto:markt@apache.org>
> >>     > <mailto:markt@apache.org <mailto:markt@apache.org>>>
wrote:
> >>     >
> >>     >     All,
> >>     >
> >>     >     You may be aware that the ASF infra team has been working on
> >>     getting a
> >>     >     code signing service set up.
> >>     >
> >>     >     The test project for this is Apache Tomcat and we are at the
> >>     point where
> >>     >     we are ready to do our first real signing. So why am I writing
> >>     to the
> >>     >     Commons dev list? Daemon.
> >>     >
> >>     >     Tomcat uses Commons Daemon so we'd like to build the signed
> Tomcat
> >>     >     release with signed Commons Daemon binaries. I have the
> >>     signing for the
> >>     >     Tomcat build automated but the Commons one is manual for now
> >>     so there
> >>     >     are no tools to check in.
> >>     >
> >>     >     The ASF will eventually need a Maven plugin to do signing as
> >>     part of the
> >>     >     build. If anyone would like volunteer (I have a simple Ant
> plug-in
> >>     >     written) let me know.
> >>     >
> >>     >     Shortly I will be starting a release vote for a signed
> version of
> >>     >     Commons Daemon 1.0.15. This will be exactly the same as the
> >>     binaries we
> >>     >     have already shipped apart from that the Windows binaries in
> the
> >>     >     packages will be signed executables. I plan to stage them
> >>     alongside the
> >>     >     existing 1.0.15 binaries rather than replace them. Eventually,
> >>     I expect
> >>     >     the Daemon release process to generate signed binaries.
> >>     >
> >>     >     Any questions, just ask.
> >>     >
> >>     >     Mark
> >>     >
> >>     >
> >>
> ---------------------------------------------------------------------
> >>     >     To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >>     <mailto:dev-unsubscribe@commons.apache.org>
> >>     >     <mailto:dev-unsubscribe@commons.apache.org
> >>     <mailto:dev-unsubscribe@commons.apache.org>>
> >>     >     For additional commands, e-mail: dev-help@commons.apache.org
> <mailto:dev-help@commons.apache.org>
> >>     >     <mailto:dev-help@commons.apache.org
> >>     <mailto:dev-help@commons.apache.org>>
> >>     >
> >>     >
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message