www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [Not! OFFLIST] Re: Code signing
Date Tue, 14 Oct 2014 19:09:11 GMT
On 14/10/2014 20:07, Mark Thomas wrote:
> On 10/10/2014 02:37, Raymond DeCampo wrote:
>> Mark,
>>
>> I've got the code running in a Maven plug in but I am running into an
>> authentication error when the service is called.  I checked out the Tomcat
>> build scripts but they just have placeholders for the authentication
>> information.
> 
> private static String USERNAME = "AOOAPI";
> private static String PASSWORD = "Demo1234!";
> private static String PARTNERCODE = "4615797APA95264";

And I am idiot.

I'll get Symantec to change those but for now you can use them.

Mark

> 
> Enjoy!
> 
> Mark
> 
> 
>>
>> Also, I thought I should verify some assumptions I was making.  First,
>> since this is a Maven plug-in, I assumed we were interested in signing the
>> archive built by the Maven script.  Is this what we want or are we signing
>> an arbitrary set of files?
>>
>> Second, and this kind of goes with the first assumption, I assumed we were
>> signing JAR files and not executables.  In this case I need to know how to
>> vary the parameters to the signing service.  E.g., I imagine the
>> signingServiceName would be different from "Microsoft Signing".
>>
>> Thanks,
>> Ray
>>
>> On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <markt@apache.org> wrote:
>>
>>> On 23/09/2014 20:45, Raymond DeCampo wrote:
>>>> I'll see what I can glean from the WSDL
>>>
>>> That and the Tomcat code should be enough for you to figure things out.
>>>
>>> I discovered today that the production service and the test service have
>>> some minor differences. The production service needs files to have
>>> extensions else it fails to sign them. So, rather than naming the files
>>> 0,1,2 etc. the Tomcat code now retains the original file extension so
>>> the names are 0.exe,1.dll, etc.
>>>
>>>> I have joined the mailing list
>>>
>>> Excellent.
>>>
>>> Mark
>>>
>>>
>>>>
>>>> On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <markt@apache.org> wrote:
>>>>
>>>>> On 23/09/2014 15:20, Mark Thomas wrote:
>>>>>> On 22/09/2014 21:39, Raymond DeCampo wrote:
>>>>>>> Mark,
>>>>>>>
>>>>>>> Do you have any documentation on the web service that is being
used to
>>>>>>> sign the code?
>>>>>>
>>>>>> I do, but it was under an NDA. Symantec were going to relax that
so we
>>>>>> could share the API information. Let me check where we are with that.
>>>>>
>>>>> Hmm. Symantec are happy that any code that interacts with the API is
>>>>> public but they haven't said we can share the API doc (to be fair I
>>>>> haven't asked).
>>>>>
>>>>> For now, the WSDL is public and can be obtained here:
>>>>> https://api.ws.symantec.com/webtrust/SigningService?wsdl
>>>>>
>>>>> Is that enough or do you need more? If you have specific questions I
can
>>>>> answer them.
>>>>>
>>>>>> Also, I'm moving this discussion to the appropriate list -
>>>>>> infrastructure-dev@apache.org. Please subscribe to that list.
>>>>>
>>>>> Let me know when you do, and I'll stop cc'ing you.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Mark
>>>>>
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Ray
>>>>>>>
>>>>>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
>>>>>>> <mailto:markt@apache.org>> wrote:
>>>>>>>
>>>>>>>     On 12/09/2014 19:34, Raymond DeCampo wrote:
>>>>>>>     > Mark,
>>>>>>>     >
>>>>>>>     > I haven't coded a maven plugin before but I am willing
to figure
>>>>> it out
>>>>>>>     > as I have been looking for some way to contribute.
>>>>>>>     >
>>>>>>>     > Just dump me whatever information/code you have and
I will take
>>>>> it from
>>>>>>>     > there.  Given you have an ANT plug in already working
I don't
>>>>> anticipate
>>>>>>>     > it will be too difficult.
>>>>>>>
>>>>>>>     Thanks for the offer. Am I correct in thinking you aren't
an
>>> Apache
>>>>>>>     Committer? Getting you access to the test instance in that
case
>>>>> might be
>>>>>>>     a little tricky. We can cross that bridge when we come to
it.
>>>>>>>
>>>>>>>     The Ant task is here:
>>>>>>>
>>>>>
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
>>>>>>>
>>>>>>>     It does have an issue in that it loads the Base64 of the
zip of of
>>>>> the
>>>>>>>     files to be signed into memory. It would be much better if
it was
>>>>>>>     streamed. If you fancy taking at a look at that first...
>>>>>>>
>>>>>>>     > Although, I did want to ask if ASF has any existing
maven
>>> plugins
>>>>> so I
>>>>>>>     > can stay consistent with the established style.
>>>>>>>
>>>>>>>     This is going to be an infrastructure tool and we don't have
any
>>>>> Maven
>>>>>>>     plugins I am aware of. To be perfectly honest I am far more
>>>>> concerned
>>>>>>>     about getting something working than style.
>>>>>>>
>>>>>>>     We should probably continue this on a list somewhere. Let
me
>>> figure
>>>>> out
>>>>>>>     which one is best.
>>>>>>>
>>>>>>>     Mark
>>>>>>>
>>>>>>>
>>>>>>>     >
>>>>>>>     > Thanks,
>>>>>>>     > Ray
>>>>>>>     >
>>>>>>>     >
>>>>>>>     > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
>>>>> <mailto:markt@apache.org>
>>>>>>>     > <mailto:markt@apache.org <mailto:markt@apache.org>>>
wrote:
>>>>>>>     >
>>>>>>>     >     All,
>>>>>>>     >
>>>>>>>     >     You may be aware that the ASF infra team has been
working on
>>>>>>>     getting a
>>>>>>>     >     code signing service set up.
>>>>>>>     >
>>>>>>>     >     The test project for this is Apache Tomcat and we
are at the
>>>>>>>     point where
>>>>>>>     >     we are ready to do our first real signing. So why
am I
>>> writing
>>>>>>>     to the
>>>>>>>     >     Commons dev list? Daemon.
>>>>>>>     >
>>>>>>>     >     Tomcat uses Commons Daemon so we'd like to build
the signed
>>>>> Tomcat
>>>>>>>     >     release with signed Commons Daemon binaries. I have
the
>>>>>>>     signing for the
>>>>>>>     >     Tomcat build automated but the Commons one is manual
for now
>>>>>>>     so there
>>>>>>>     >     are no tools to check in.
>>>>>>>     >
>>>>>>>     >     The ASF will eventually need a Maven plugin to do
signing as
>>>>>>>     part of the
>>>>>>>     >     build. If anyone would like volunteer (I have a
simple Ant
>>>>> plug-in
>>>>>>>     >     written) let me know.
>>>>>>>     >
>>>>>>>     >     Shortly I will be starting a release vote for a
signed
>>>>> version of
>>>>>>>     >     Commons Daemon 1.0.15. This will be exactly the
same as the
>>>>>>>     binaries we
>>>>>>>     >     have already shipped apart from that the Windows
binaries in
>>>>> the
>>>>>>>     >     packages will be signed executables. I plan to stage
them
>>>>>>>     alongside the
>>>>>>>     >     existing 1.0.15 binaries rather than replace them.
>>> Eventually,
>>>>>>>     I expect
>>>>>>>     >     the Daemon release process to generate signed binaries.
>>>>>>>     >
>>>>>>>     >     Any questions, just ask.
>>>>>>>     >
>>>>>>>     >     Mark
>>>>>>>     >
>>>>>>>     >
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>>>     >     To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>>>>     <mailto:dev-unsubscribe@commons.apache.org>
>>>>>>>     >     <mailto:dev-unsubscribe@commons.apache.org
>>>>>>>     <mailto:dev-unsubscribe@commons.apache.org>>
>>>>>>>     >     For additional commands, e-mail:
>>> dev-help@commons.apache.org
>>>>> <mailto:dev-help@commons.apache.org>
>>>>>>>     >     <mailto:dev-help@commons.apache.org
>>>>>>>     <mailto:dev-help@commons.apache.org>>
>>>>>>>     >
>>>>>>>     >
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
> 


Mime
View raw message