On 24/01/2017 19:15, Christopher Schultz wrote: > Mark, > > On 1/24/17 12:36 PM, Mark Thomas wrote: >> On 24/01/2017 16:31, Christopher Schultz wrote: >>> Mark, >>> >>> On 1/23/17 5:53 AM, Mark Thomas wrote: >>>> I think it would be useful if we configured buildbot to publish >>>> snapshots (probably as part of the daily build) to repository.a.o. >>>> Therefore I have requested the appropriate credentials from infra and >>>> when I have them I'll make the necessary changes tot he buildbot config. >>>> It might also be necessary to tweak our build scripts. >>> >>> +1 >>> >>> Will those (non) releases be signed? >> >> No. Handling that is one of the tweaks I'm expecting to have to make to >> the build script. > > I'm kind of -0 or +0 on signing nightlies. > > On the one hand, they are being auto-signed which is pretty risky > because anyone with access to the build server can then sign releases. > > On the other hand, we would certainly be using a "nightly release > signer" and not e.g. markt's release-signing keys, so that's a little > less risky: the signing key will clearly advertise what it's being used for. > > I just want to make sure that a nightly-signed release is somehow > flagged by ... whoever cares to check for signatures. I wouldn't want a > normal release signed by the nightly-release key to be mistaken for an > official release. > > Is there a sane way to do that?
Not really. But I'm not sure it will be necessary. The snapshot will only be published to the Nexus snapshot repository so anyone getting a snapshot from there should know what to expect. > With X.509, you'd just make sure that the nightly-release signer wasn't > trusted by the root authority that everybody is supposed to trust. That > way, the code is signed, but the signature isn't automatically trusted > by everybody. > > I have no idea how the code-signing works for our releases, since I just > grab the binary tarball and use that. GPG checks the signature of the > file for me. But my understanding is that the code-signing that Semantec > provides to us is something else entirely (e.g. signing the installer > .exe for Windows). So I'm happy to be educated. GPG signing is separate from the Windows installer signing. I'm not intending to implement either for the snapshots. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
