On 29/10/2016 00:12, Ariel Constenla-Haile wrote: > On Fri, Oct 28, 2016 at 11:30:30PM +0200, Andrea Pescetti wrote: >> Ariel Constenla-Haile wrote: >>> These prerequisites are not trivial, our build process is already too >>> cumbersome to make integrating >>> https://reference.apache.org/pmc/codesigning appear as something >>> trivial. >> >> That guide refers to the Symantec service for Windows code signing, not to >> the signing services for MacOS X. For Windows we know that this would be >> complex and it was investigated about two years ago. For MacOS X, as far as >> I know, we never investigated the issue in depth (note: I'm only speaking of >> pleasing Gatekeeper, not of entering the App Store which apparently would >> pose bigger challenges). > > According to Mark's answer in this thread, the Symantec service covers > Windows binaries and Java JARs and there is a separate web service for > Apple code signing. I assume this implies also sending build artifacts > over the internet to be signed by this web servicie. This is what I was > pointing as no trivial at all, OpenOffice has already support for > Windows signing (grok signtool) at build time with a local certificate, > using a web service at build time does not look promising. > > I've found > https://reference.apache.org/pmc/appleappstore > https://issues.apache.org/jira/browse/LEGAL-174 > https://issues.apache.org/jira/browse/INFRA-11183 > > @Mark: is there a documentation about the macOS signing service?
https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html and follow the links. From a quick look, you get a cert from Apple and sign locally. I'm not wildly happy about that approach. Infra regularly sees examples of committers failing to secure private keys and I'm concerned about the security of any locally held code signing key. That said, this looks to be the only choice for macOS signing. For now it looks like we have to make sure committers with signing keys understand the that they need to look after those keys carefully. (A significant advantage of the Symantec service is that it manages the keys, uses a new key for every signing and allows per key/signing revocations.) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
