Hi. we are not alone in ASF wishing code signing, but we might get run over (as I did today on IRC) if we do not formulate our requirements very clearly.
rgds jan I. ---------- Forwarded message ---------- From: Scott Deboy <[email protected]> Date: 24 May 2013 18:59 Subject: Re: Official code signing certificate To: [email protected] Logging Services has a simple requirement: Have the Chainsaw build artifacts signed by a Java code signing cert that is signed by a trusted/root CA so the jars can be downloaded via WebStart without the user receiving a warning that the signed jars aren't trusted. The Chainsaw maven script supports signing jars - infra just needs to point it to the cert. I don't know whether or not an ASF-wide Java code signing cert makes sense or a Logging Services-specific Java code signing cert makes sense. I don't even know if it is possible to have TLP-specific Java code signing certs. I defer to infra on that decision. I believe the code signing service WRowe described will meet our requirements. Hopefully infra can spend some time looking at the service and see how it can meet their requirements. Logging Services would like to be a guinea pig for the Java code signing service WRowe described above. If there are additional details needed by infra, we are happy to provide them. Thanks, Scott On 4/12/13, sebb <[email protected]> wrote: > You are now in http://wiki.apache.org/general/ContributorsGroup > > > On 12 April 2013 17:32, William A. Rowe Jr. <[email protected]> wrote: > >> On Fri, 12 Apr 2013 10:47:29 -0500 >> "William A. Rowe Jr." <[email protected]> wrote: >> >> > On Tue, 26 Mar 2013 00:56:06 +0200 >> > Daniel Shahaf <[email protected]> wrote: >> > >> > > Can you write this all down somewhere? A wiki page maybe >> > >> > http://wiki.apache.org/general/ASFCodeSigning >> >> Could one of the page editors please grant WilliamARoweJr some >> karma? I'll document the first-draft approach and the Symantec >> service-based approach. >> >
