> On Feb 1, 2018, at 5:28 PM, Mark Thomas wrote:
>
>> On 01/02/18 22:08, Emmanuel Bourg wrote:
>>> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>>>
>>> Thoughts? Comments?
>>
>> +1
+1
>>
>> I might even be able to contribute some elements I developed for my
>> jsign project [1]. jsign is a
On 01/02/18 22:08, Emmanuel Bourg wrote:
> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>
>> Thoughts? Comments?
>
> +1
>
> I might even be able to contribute some elements I developed for my
> jsign project [1]. jsign is able to sign Windows executables but using a
> local signing certificate o
Le 23/01/2018 à 07:33, Mark Thomas a écrit :
> Thoughts? Comments?
+1
I might even be able to contribute some elements I developed for my
jsign project [1]. jsign is able to sign Windows executables but using a
local signing certificate or a PKCS#11 token. It comes with an Ant task,
a Maven plug
There can be of course plans for server-side code signing components.
Thanks,
Robert
>
> Gruss
> Bernd
>
> Von: Robert Munteanu
> Gesendet: Dienstag, 30. Januar 2018 11:21
> An: Commons Developers List
> Betreff: Re: [Signing] New component for code signing
>
>
Well, there are plans by me. I would not invest time in a project nobody else
can use…
Maybe there can be some consensus on a common protocol.
Gruss
Bernd
Von: Robert Munteanu
Gesendet: Dienstag, 30. Januar 2018 11:21
An: Commons Developers List
Betreff: Re: [Signing] New component for code
Hi Bernd,
On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> +1 - and I would expect we also see a Server-side component.
>
> BTW: Eclipse also has some infrastructure for this (we use a modified
> Version with a PHP backend on-prem)
>
> http://git.eclipse.org/c/cbi/org.eclipse.cbi.git
rds,
>> Benedikt
>>
>> Mark Thomas schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>>
>>> All,
>>>
>>> As you may know, the ASF has been using a code signing service for a
>>> number of years provided by Symantec. We use it to sign Commons
; > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written
+1
On 22 January 2018 at 22:33, Mark Thomas wrote:
> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We use it to sign Commons Daemon
> Windows binaries.
>
> The code signing service has a web based GUI
: Gary Gregory
Gesendet: Mittwoch, 24. Januar 2018 22:05
An: Commons Developers List
Betreff: Re: [Signing] New component for code signing
+1
Gary
On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter wrote:
> Hello Mark,
>
> +1 In my opinion this is exactly what Commons should be doing.
&g
gt; As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an An
Hello Mark,
+1 In my opinion this is exactly what Commons should be doing.
Regards,
Benedikt
Mark Thomas schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We us
All,
As you may know, the ASF has been using a code signing service for a
number of years provided by Symantec. We use it to sign Commons Daemon
Windows binaries.
The code signing service has a web based GUI and a SOAP based API.
Tomcat has written an Ant task to use the SOAP API and Sling has
All,
You may be aware that the ASF infra team has been working on getting a
code signing service set up.
The test project for this is Apache Tomcat and we are at the point where
we are ready to do our first real signing. So why am I writing to the
Commons dev list? Daemon.
Tomcat uses Commons
ect we'd just distribute the signed versions.
> How does this relate to signing jars? Are we going to do that as well?
The code signing system being investigated supports signing of JARs (and
a bunch of other stuff) as well as Windows binaries. At this point
Tomcat is only looking to sign the
Are we going to distribute signed and unsigned versions of the same files? How
does this relate to signing jars? Are we going to do that as well?
Gary
Original message From: Mark Thomas
Date:07/01/2014 15:53 (GMT-05:00)
To: Commons Developers List
Subject: Code signing
All,
You may be aware that the ASF is currently evaluating an external code
signing service. So far, things are looking code. Assuming it moves
forward, Apache Tomcat is going to be used as a guinea pig for the live
service. Some of the components Tomcat wants to sign are the procrun
binaries
2009/5/6 Rahul Akolkar
> On Wed, May 6, 2009 at 10:43 AM, Craig L Russell
> wrote:
> > Much better!
> >
>
> > [CraigRussell:~/Downloads] clr% gpg --verify
> > commons-chain-1.2-bin.tar.gz.asc
> > gpg: Signature made Tue May 5 22:13:09 2009 PDT using DSA key ID
> 42196CA8
> > gpg: Good signatur
>> I'd vote for this signature being valid to sign releases. Only incubator
>> releases right now, since it hasn't been signed by the Apache WOT. That can
>> be fixed at a Sign-a-Thon. ;-)
>>
> I'd vote for Apache Commons releases signed by any key thats in the
> KEYS file (regardless of WOT status
On Wed, May 6, 2009 at 10:43 AM, Craig L Russell wrote:
> Much better!
>
> [CraigRussell:~/Downloads] clr% gpg --verify
> commons-chain-1.2-bin.tar.gz.asc
> gpg: Signature made Tue May 5 22:13:09 2009 PDT using DSA key ID 42196CA8
> gpg: Good signature from "Christian Grobmeier (Apache Codesigni
Much better!
[CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
gpg: key 42196CA8: public key "Christian Grobmeier (Apache
Codesigning) " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0
>> http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
>
> Thanks, that has allowed me to check the signature. Validates OK.
Cool!
> However I was unable to download the key from a keyserver - maybe
> there was a problem with the server I was using.
Strange... I uploaded it to: pg
On 06/05/2009, Christian Grobmeier wrote:
> > Can you upload the public key?
>
>
> http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
>
Thanks, that has allowed me to check the signature. Validates OK.
However I was unable to download the key from a keyserver - maybe
there was a
> Can you upload the public key?
http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
> It will need to be added to KEYS at some point if you are to use it.
Yes. I didn't understood when a key is beeing considered "trusted" at apache.
Meanwhile I think there is not such a policy. H
On 06/05/2009, Christian Grobmeier wrote:
> > gpg: Can't check signature: public key not found
> > [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
> > gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
> > gpgkeys: key 42196CA8 not found on keyserver
>
>
> Thanks, i sent it t
> gpg: Can't check signature: public key not found
> [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
> gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
> gpgkeys: key 42196CA8 not found on keyserver
Thanks, i sent it to several keyservers now :-)
Can you try again?
Christian
Not so good.
Here's what I get after downloading the two files:
[CraigRussell:~/Downloads] clr% gpg --verify commons-chain-1.2-
bin.tar.gz.asc
gpg: Signature made Tue May 5 22:13:09 2009 PDT using DSA key ID
42196CA8
gpg: Can't check signature: public key not found
[CraigRussell:~/Downloads
> Why not try creating a signature for an existing Commons release, e.g. IO?
> Upload it to your home directory on people, along with the public key,
> and some of us can see if it is usable.
That would be great! Thanks!
Here are the urls:
http://people.apache.org/~grobmeier/test/commons-chain-1.
Hi,
> as far as I remember CACert is about X.509 certificates and not PGP
> keys. If that assumption is true than this key is not usable for
> PGP-signing.
yes, but if you are assured at CACert they offer signing your PGP too.
Thanks
Christian
---
ert where I am
> > fully assured and uploaded it to a keyserver.
> > Question: is this a suitable key for code signing at apache?
> >
> > Thanks,
> > Christian
> >
> > ---
to a keyserver.
> Question: is this a suitable key for code signing at apache?
>
> Thanks,
> Christian
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For ad
am
fully assured and uploaded it to a keyserver.
Question: is this a suitable key for code signing at apache?
Thanks,
Christian
-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h
32 matches
Mail list logo
