Cool. I can't find info on "how much" it costs ASF, any pointers before embarking on 100+ artifact signing spree... ;-)
On Fri, Aug 21, 2015 at 12:35 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <nic...@hedhman.org> > wrote: > > > On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <wr...@rowe-clan.net> > > wrote: > > > > > There are some special things here we do have absolute control over. > If a > > > project wants to provide the 'official' build, why not start signing > > the .jar? > > > > Good idea, but to be practical to users, the certificate for the signing > > needs to be part of the certificate chain of the JVM (otherwise those > would > > be needed to be installed on every host). I don't know how willing infra > > would be to support PKI at ASF for this, otherwise many projects will be > > limited due to cost (I could be wrong by now and that there are totally > > free CAs) > > > > That infrastructure now exists through code signing service by Symantec. > One PMC member (or more) gets their own unique log in, pushes the artifact > (.jar, in this example) to the service and is returned a signed artifact > reflecting the ASF providence. > > The interesting thing is the actual cert is unique to the object, so if it > is discovered that it was compromised, the signature can be revoked (good > luck having sig revocations active at boot time, but otherwise this is > quite useful.) And because there is a history, we know who precisely > requested each object signing. > -- Niclas Hedhman, Software Developer http://zest.apache.org - New Energy for Java
