www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [OFFLIST] Re: Code signing
Date Tue, 14 Oct 2014 19:07:56 GMT
On 10/10/2014 02:37, Raymond DeCampo wrote:
> Mark,
> 
> I've got the code running in a Maven plug in but I am running into an
> authentication error when the service is called.  I checked out the Tomcat
> build scripts but they just have placeholders for the authentication
> information.

private static String USERNAME = "AOOAPI";
private static String PASSWORD = "Demo1234!";
private static String PARTNERCODE = "4615797APA95264";

Enjoy!

Mark


> 
> Also, I thought I should verify some assumptions I was making.  First,
> since this is a Maven plug-in, I assumed we were interested in signing the
> archive built by the Maven script.  Is this what we want or are we signing
> an arbitrary set of files?
> 
> Second, and this kind of goes with the first assumption, I assumed we were
> signing JAR files and not executables.  In this case I need to know how to
> vary the parameters to the signing service.  E.g., I imagine the
> signingServiceName would be different from "Microsoft Signing".
> 
> Thanks,
> Ray
> 
> On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <markt@apache.org> wrote:
> 
>> On 23/09/2014 20:45, Raymond DeCampo wrote:
>>> I'll see what I can glean from the WSDL
>>
>> That and the Tomcat code should be enough for you to figure things out.
>>
>> I discovered today that the production service and the test service have
>> some minor differences. The production service needs files to have
>> extensions else it fails to sign them. So, rather than naming the files
>> 0,1,2 etc. the Tomcat code now retains the original file extension so
>> the names are 0.exe,1.dll, etc.
>>
>>> I have joined the mailing list
>>
>> Excellent.
>>
>> Mark
>>
>>
>>>
>>> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <markt@apache.org> wrote:
>>>
>>>> On 23/09/2014 15:20, Mark Thomas wrote:
>>>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>>>> Mark,
>>>>>>
>>>>>> Do you have any documentation on the web service that is being used
to
>>>>>> sign the code?
>>>>>
>>>>> I do, but it was under an NDA. Symantec were going to relax that so we
>>>>> could share the API information. Let me check where we are with that.
>>>>
>>>> Hmm. Symantec are happy that any code that interacts with the API is
>>>> public but they haven't said we can share the API doc (to be fair I
>>>> haven't asked).
>>>>
>>>> For now, the WSDL is public and can be obtained here:
>>>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>>>
>>>> Is that enough or do you need more? If you have specific questions I can
>>>> answer them.
>>>>
>>>>> Also, I'm moving this discussion to the appropriate list -
>>>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>>>
>>>> Let me know when you do, and I'll stop cc'ing you.
>>>>
>>>> Cheers,
>>>>
>>>> Mark
>>>>
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Ray
>>>>>>
>>>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>>>> <mailto:markt@apache.org>> wrote:
>>>>>>
>>>>>>     On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>>>     > Mark,
>>>>>>     >
>>>>>>     > I haven't coded a maven plugin before but I am willing to
figure
>>>> it out
>>>>>>     > as I have been looking for some way to contribute.
>>>>>>     >
>>>>>>     > Just dump me whatever information/code you have and I will
take
>>>> it from
>>>>>>     > there.  Given you have an ANT plug in already working I
don't
>>>> anticipate
>>>>>>     > it will be too difficult.
>>>>>>
>>>>>>     Thanks for the offer. Am I correct in thinking you aren't an
>> Apache
>>>>>>     Committer? Getting you access to the test instance in that case
>>>> might be
>>>>>>     a little tricky. We can cross that bridge when we come to it.
>>>>>>
>>>>>>     The Ant task is here:
>>>>>>
>>>>
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>>>
>>>>>>     It does have an issue in that it loads the Base64 of the zip
of of
>>>> the
>>>>>>     files to be signed into memory. It would be much better if it
was
>>>>>>     streamed. If you fancy taking at a look at that first...
>>>>>>
>>>>>>     > Although, I did want to ask if ASF has any existing maven
>> plugins
>>>> so I
>>>>>>     > can stay consistent with the established style.
>>>>>>
>>>>>>     This is going to be an infrastructure tool and we don't have
any
>>>> Maven
>>>>>>     plugins I am aware of. To be perfectly honest I am far more
>>>> concerned
>>>>>>     about getting something working than style.
>>>>>>
>>>>>>     We should probably continue this on a list somewhere. Let me
>> figure
>>>> out
>>>>>>     which one is best.
>>>>>>
>>>>>>     Mark
>>>>>>
>>>>>>
>>>>>>     >
>>>>>>     > Thanks,
>>>>>>     > Ray
>>>>>>     >
>>>>>>     >
>>>>>>     > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>>>> <mailto:markt@apache.org>
>>>>>>     > <mailto:markt@apache.org <mailto:markt@apache.org>>>
wrote:
>>>>>>     >
>>>>>>     >     All,
>>>>>>     >
>>>>>>     >     You may be aware that the ASF infra team has been working
on
>>>>>>     getting a
>>>>>>     >     code signing service set up.
>>>>>>     >
>>>>>>     >     The test project for this is Apache Tomcat and we are
at the
>>>>>>     point where
>>>>>>     >     we are ready to do our first real signing. So why am
I
>> writing
>>>>>>     to the
>>>>>>     >     Commons dev list? Daemon.
>>>>>>     >
>>>>>>     >     Tomcat uses Commons Daemon so we'd like to build the
signed
>>>> Tomcat
>>>>>>     >     release with signed Commons Daemon binaries. I have
the
>>>>>>     signing for the
>>>>>>     >     Tomcat build automated but the Commons one is manual
for now
>>>>>>     so there
>>>>>>     >     are no tools to check in.
>>>>>>     >
>>>>>>     >     The ASF will eventually need a Maven plugin to do signing
as
>>>>>>     part of the
>>>>>>     >     build. If anyone would like volunteer (I have a simple
Ant
>>>> plug-in
>>>>>>     >     written) let me know.
>>>>>>     >
>>>>>>     >     Shortly I will be starting a release vote for a signed
>>>> version of
>>>>>>     >     Commons Daemon 1.0.15. This will be exactly the same
as the
>>>>>>     binaries we
>>>>>>     >     have already shipped apart from that the Windows binaries
in
>>>> the
>>>>>>     >     packages will be signed executables. I plan to stage
them
>>>>>>     alongside the
>>>>>>     >     existing 1.0.15 binaries rather than replace them.
>> Eventually,
>>>>>>     I expect
>>>>>>     >     the Daemon release process to generate signed binaries.
>>>>>>     >
>>>>>>     >     Any questions, just ask.
>>>>>>     >
>>>>>>     >     Mark
>>>>>>     >
>>>>>>     >
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>     >     To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>>>     <mailto:dev-unsubscribe@commons.apache.org>
>>>>>>     >     <mailto:dev-unsubscribe@commons.apache.org
>>>>>>     <mailto:dev-unsubscribe@commons.apache.org>>
>>>>>>     >     For additional commands, e-mail:
>> dev-help@commons.apache.org
>>>> <mailto:dev-help@commons.apache.org>
>>>>>>     >     <mailto:dev-help@commons.apache.org
>>>>>>     <mailto:dev-help@commons.apache.org>>
>>>>>>     >
>>>>>>     >
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> 


Mime
View raw message