Hi,
There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases. This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds. But there was no indication of time
frame.
Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *
And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature. So how we would integrate code signing with
release procedures is an interesting question. Ditto for how we would
protect our signing key. I assume we would not want want 90 PPMC members
to have access to it.
as far as I remember (IMHO) the signature is person and system bound so
there might be a problem to integrate it into a server farm. If we need
certificates (at least for Win32 binaries) then this is something to
think about (ASAP).
Kind regards, Joost
