www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond DeCampo <...@decampo.org>
Subject Re: Code signing
Date Fri, 10 Oct 2014 01:37:44 GMT
Mark,

I've got the code running in a Maven plug in but I am running into an
authentication error when the service is called.  I checked out the Tomcat
build scripts but they just have placeholders for the authentication
information.

Also, I thought I should verify some assumptions I was making.  First,
since this is a Maven plug-in, I assumed we were interested in signing the
archive built by the Maven script.  Is this what we want or are we signing
an arbitrary set of files?

Second, and this kind of goes with the first assumption, I assumed we were
signing JAR files and not executables.  In this case I need to know how to
vary the parameters to the signing service.  E.g., I imagine the
signingServiceName would be different from "Microsoft Signing".

Thanks,
Ray

On Wed, Sep 24, 2014 at 4:17 PM, Mark Thomas <markt@apache.org> wrote:

> On 23/09/2014 20:45, Raymond DeCampo wrote:
> > I'll see what I can glean from the WSDL
>
> That and the Tomcat code should be enough for you to figure things out.
>
> I discovered today that the production service and the test service have
> some minor differences. The production service needs files to have
> extensions else it fails to sign them. So, rather than naming the files
> 0,1,2 etc. the Tomcat code now retains the original file extension so
> the names are 0.exe,1.dll, etc.
>
> > I have joined the mailing list
>
> Excellent.
>
> Mark
>
>
> >
> > On Tue, Sep 23, 2014 at 2:20 PM, Mark Thomas <markt@apache.org> wrote:
> >
> >> On 23/09/2014 15:20, Mark Thomas wrote:
> >>> On 22/09/2014 21:39, Raymond DeCampo wrote:
> >>>> Mark,
> >>>>
> >>>> Do you have any documentation on the web service that is being used
to
> >>>> sign the code?
> >>>
> >>> I do, but it was under an NDA. Symantec were going to relax that so we
> >>> could share the API information. Let me check where we are with that.
> >>
> >> Hmm. Symantec are happy that any code that interacts with the API is
> >> public but they haven't said we can share the API doc (to be fair I
> >> haven't asked).
> >>
> >> For now, the WSDL is public and can be obtained here:
> >> https://api.ws.symantec.com/webtrust/SigningService?wsdl
> >>
> >> Is that enough or do you need more? If you have specific questions I can
> >> answer them.
> >>
> >>> Also, I'm moving this discussion to the appropriate list -
> >>> infrastructure-dev@apache.org. Please subscribe to that list.
> >>
> >> Let me know when you do, and I'll stop cc'ing you.
> >>
> >> Cheers,
> >>
> >> Mark
> >>
> >>>
> >>> Mark
> >>>
> >>>
> >>>>
> >>>> Thanks,
> >>>> Ray
> >>>>
> >>>> On Fri, Sep 12, 2014 at 2:42 PM, Mark Thomas <markt@apache.org
> >>>> <mailto:markt@apache.org>> wrote:
> >>>>
> >>>>     On 12/09/2014 19:34, Raymond DeCampo wrote:
> >>>>     > Mark,
> >>>>     >
> >>>>     > I haven't coded a maven plugin before but I am willing to figure
> >> it out
> >>>>     > as I have been looking for some way to contribute.
> >>>>     >
> >>>>     > Just dump me whatever information/code you have and I will
take
> >> it from
> >>>>     > there.  Given you have an ANT plug in already working I don't
> >> anticipate
> >>>>     > it will be too difficult.
> >>>>
> >>>>     Thanks for the offer. Am I correct in thinking you aren't an
> Apache
> >>>>     Committer? Getting you access to the test instance in that case
> >> might be
> >>>>     a little tricky. We can cross that bridge when we come to it.
> >>>>
> >>>>     The Ant task is here:
> >>>>
> >>
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/buildutil/SignCode.java?view=annotate
> >>>>
> >>>>     It does have an issue in that it loads the Base64 of the zip of
of
> >> the
> >>>>     files to be signed into memory. It would be much better if it was
> >>>>     streamed. If you fancy taking at a look at that first...
> >>>>
> >>>>     > Although, I did want to ask if ASF has any existing maven
> plugins
> >> so I
> >>>>     > can stay consistent with the established style.
> >>>>
> >>>>     This is going to be an infrastructure tool and we don't have any
> >> Maven
> >>>>     plugins I am aware of. To be perfectly honest I am far more
> >> concerned
> >>>>     about getting something working than style.
> >>>>
> >>>>     We should probably continue this on a list somewhere. Let me
> figure
> >> out
> >>>>     which one is best.
> >>>>
> >>>>     Mark
> >>>>
> >>>>
> >>>>     >
> >>>>     > Thanks,
> >>>>     > Ray
> >>>>     >
> >>>>     >
> >>>>     > On Thu, Sep 11, 2014 at 3:05 PM, Mark Thomas <markt@apache.org
> >> <mailto:markt@apache.org>
> >>>>     > <mailto:markt@apache.org <mailto:markt@apache.org>>>
wrote:
> >>>>     >
> >>>>     >     All,
> >>>>     >
> >>>>     >     You may be aware that the ASF infra team has been working
on
> >>>>     getting a
> >>>>     >     code signing service set up.
> >>>>     >
> >>>>     >     The test project for this is Apache Tomcat and we are at
the
> >>>>     point where
> >>>>     >     we are ready to do our first real signing. So why am I
> writing
> >>>>     to the
> >>>>     >     Commons dev list? Daemon.
> >>>>     >
> >>>>     >     Tomcat uses Commons Daemon so we'd like to build the signed
> >> Tomcat
> >>>>     >     release with signed Commons Daemon binaries. I have the
> >>>>     signing for the
> >>>>     >     Tomcat build automated but the Commons one is manual for
now
> >>>>     so there
> >>>>     >     are no tools to check in.
> >>>>     >
> >>>>     >     The ASF will eventually need a Maven plugin to do signing
as
> >>>>     part of the
> >>>>     >     build. If anyone would like volunteer (I have a simple
Ant
> >> plug-in
> >>>>     >     written) let me know.
> >>>>     >
> >>>>     >     Shortly I will be starting a release vote for a signed
> >> version of
> >>>>     >     Commons Daemon 1.0.15. This will be exactly the same as
the
> >>>>     binaries we
> >>>>     >     have already shipped apart from that the Windows binaries
in
> >> the
> >>>>     >     packages will be signed executables. I plan to stage them
> >>>>     alongside the
> >>>>     >     existing 1.0.15 binaries rather than replace them.
> Eventually,
> >>>>     I expect
> >>>>     >     the Daemon release process to generate signed binaries.
> >>>>     >
> >>>>     >     Any questions, just ask.
> >>>>     >
> >>>>     >     Mark
> >>>>     >
> >>>>     >
> >>>>
> >> ---------------------------------------------------------------------
> >>>>     >     To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >>>>     <mailto:dev-unsubscribe@commons.apache.org>
> >>>>     >     <mailto:dev-unsubscribe@commons.apache.org
> >>>>     <mailto:dev-unsubscribe@commons.apache.org>>
> >>>>     >     For additional commands, e-mail:
> dev-help@commons.apache.org
> >> <mailto:dev-help@commons.apache.org>
> >>>>     >     <mailto:dev-help@commons.apache.org
> >>>>     <mailto:dev-help@commons.apache.org>>
> >>>>     >
> >>>>     >
> >>>>
> >>>>
> >>>
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message