Return-Path: 
 <infrastructure-dev-return-2680-apmail-infrastructure-dev-archive=apache.org@apache.org>
X-Original-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Delivered-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4990E11667
	for <apmail-infrastructure-dev-archive@minotaur.apache.org>;
 Wed, 24 Sep 2014 20:17:37 +0000 (UTC)
Received: (qmail 96929 invoked by uid 500); 24 Sep 2014 20:17:37 -0000
Delivered-To: apmail-infrastructure-dev-archive@apache.org
Received: (qmail 96787 invoked by uid 500); 24 Sep 2014 20:17:37 -0000
Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:infrastructure-dev-help@apache.org>
List-Unsubscribe: <mailto:infrastructure-dev-unsubscribe@apache.org>
List-Post: <mailto:infrastructure-dev@apache.org>
List-Id: <infrastructure-dev.apache.org>
Reply-To: infrastructure-dev@apache.org
Delivered-To: mailing list infrastructure-dev@apache.org
Received: (qmail 96747 invoked by uid 99); 24 Sep 2014 20:17:37 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Sep 2014 20:17:37 +0000
Received: from localhost (HELO [192.168.23.9]) (127.0.0.1)
  (smtp-auth username markt, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Wed, 24 Sep 2014 20:17:36 +0000
Message-ID: <542326DA.8020705@apache.org>
Date: Wed, 24 Sep 2014 21:17:30 +0100
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: infrastructure-dev@apache.org
Subject: Re: Code signing
References: <5411F25D.5090607@apache.org>
	<CAGTHBS4jr5Wey1bBgYA_7aRFyVEea6KX320B2U6FGjSLSdfSZg@mail.gmail.com>
	<54133E78.3070203@apache.org>
	<CAGTHBS6+ZEb7qsfhVU94-d07vTUuUGHyKjNRFEw68gfeWcin6Q@mail.gmail.com>
	<542181B4.4030104@apache.org>	<5421B9F0.1030109@apache.org>
 <CAGTHBS5v0GAtmXcVo-+AvRofZQobnZ6BZt9xGKG52iXAuNwS8g@mail.gmail.com>
In-Reply-To: 
 <CAGTHBS5v0GAtmXcVo-+AvRofZQobnZ6BZt9xGKG52iXAuNwS8g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 23/09/2014 20:45, Raymond DeCampo wrote:
> I'll see what I can glean from the WSDL

That and the Tomcat code should be enough for you to figure things out.

I discovered today that the production service and the test service have
some minor differences. The production service needs files to have
extensions else it fails to sign them. So, rather than naming the files
0,1,2 etc. the Tomcat code now retains the original file extension so
the names are 0.exe,1.dll, etc.

> I have joined the mailing list

Excellent.

Mark


> 
> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <markt@apache.org> wrote:
> 
>> On 23/09/2014 15:20, Mark Thomas wrote:
>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>> Mark,
>>>>
>>>> Do you have any documentation on the web service that is being used to
>>>> sign the code?
>>>
>>> I do, but it was under an NDA. Symantec were going to relax that so we
>>> could share the API information. Let me check where we are with that.
>>
>> Hmm. Symantec are happy that any code that interacts with the API is
>> public but they haven't said we can share the API doc (to be fair I
>> haven't asked).
>>
>> For now, the WSDL is public and can be obtained here:
>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>
>> Is that enough or do you need more? If you have specific questions I can
>> answer them.
>>
>>> Also, I'm moving this discussion to the appropriate list -
>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>
>> Let me know when you do, and I'll stop cc'ing you.
>>
>> Cheers,
>>
>> Mark
>>
>>>
>>> Mark
>>>
>>>
>>>>
>>>> Thanks,
>>>> Ray
>>>>
>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>> <mailto:markt@apache.org>> wrote:
>>>>
>>>>     On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>     > Mark,
>>>>     >
>>>>     > I haven't coded a maven plugin before but I am willing to figure
>> it out
>>>>     > as I have been looking for some way to contribute.
>>>>     >
>>>>     > Just dump me whatever information/code you have and I will take
>> it from
>>>>     > there.  Given you have an ANT plug in already working I don't
>> anticipate
>>>>     > it will be too difficult.
>>>>
>>>>     Thanks for the offer. Am I correct in thinking you aren't an Apache
>>>>     Committer? Getting you access to the test instance in that case
>> might be
>>>>     a little tricky. We can cross that bridge when we come to it.
>>>>
>>>>     The Ant task is here:
>>>>
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>
>>>>     It does have an issue in that it loads the Base64 of the zip of of
>> the
>>>>     files to be signed into memory. It would be much better if it was
>>>>     streamed. If you fancy taking at a look at that first...
>>>>
>>>>     > Although, I did want to ask if ASF has any existing maven plugins
>> so I
>>>>     > can stay consistent with the established style.
>>>>
>>>>     This is going to be an infrastructure tool and we don't have any
>> Maven
>>>>     plugins I am aware of. To be perfectly honest I am far more
>> concerned
>>>>     about getting something working than style.
>>>>
>>>>     We should probably continue this on a list somewhere. Let me figure
>> out
>>>>     which one is best.
>>>>
>>>>     Mark
>>>>
>>>>
>>>>     >
>>>>     > Thanks,
>>>>     > Ray
>>>>     >
>>>>     >
>>>>     > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>> <mailto:markt@apache.org>
>>>>     > <mailto:markt@apache.org <mailto:markt@apache.org>>> wrote:
>>>>     >
>>>>     >     All,
>>>>     >
>>>>     >     You may be aware that the ASF infra team has been working on
>>>>     getting a
>>>>     >     code signing service set up.
>>>>     >
>>>>     >     The test project for this is Apache Tomcat and we are at the
>>>>     point where
>>>>     >     we are ready to do our first real signing. So why am I writing
>>>>     to the
>>>>     >     Commons dev list? Daemon.
>>>>     >
>>>>     >     Tomcat uses Commons Daemon so we'd like to build the signed
>> Tomcat
>>>>     >     release with signed Commons Daemon binaries. I have the
>>>>     signing for the
>>>>     >     Tomcat build automated but the Commons one is manual for now
>>>>     so there
>>>>     >     are no tools to check in.
>>>>     >
>>>>     >     The ASF will eventually need a Maven plugin to do signing as
>>>>     part of the
>>>>     >     build. If anyone would like volunteer (I have a simple Ant
>> plug-in
>>>>     >     written) let me know.
>>>>     >
>>>>     >     Shortly I will be starting a release vote for a signed
>> version of
>>>>     >     Commons Daemon 1.0.15. This will be exactly the same as the
>>>>     binaries we
>>>>     >     have already shipped apart from that the Windows binaries in
>> the
>>>>     >     packages will be signed executables. I plan to stage them
>>>>     alongside the
>>>>     >     existing 1.0.15 binaries rather than replace them. Eventually,
>>>>     I expect
>>>>     >     the Daemon release process to generate signed binaries.
>>>>     >
>>>>     >     Any questions, just ask.
>>>>     >
>>>>     >     Mark
>>>>     >
>>>>     >
>>>>
>> ---------------------------------------------------------------------
>>>>     >     To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>     <mailto:dev-unsubscribe@commons.apache.org>
>>>>     >     <mailto:dev-unsubscribe@commons.apache.org
>>>>     <mailto:dev-unsubscribe@commons.apache.org>>
>>>>     >     For additional commands, e-mail: dev-help@commons.apache.org
>> <mailto:dev-help@commons.apache.org>
>>>>     >     <mailto:dev-help@commons.apache.org
>>>>     <mailto:dev-help@commons.apache.org>>
>>>>     >
>>>>     >
>>>>
>>>>
>>>
>>
>>
>