It seems reasonable to me to tack code signing onto the end of CI builds from the likes of buildbot and Jenkins. You can then restrict your code signing service to the robots and avoid the pesky problems humans introduce into the process.
-- Daniel Ruggeri On 2/25/2016 1:57 PM, Christopher wrote: > The tricky part would be to establish policy and enforcement of its use for > ASF-releases only. It would probably have to be used for release candidates > also. It would obviously have to be locked down to release managers, but > who are the authorized release managers (PMC, committers, other?), and how > does one tell what is an authorized release artifact? Trust of the system > might have to rely on audit logs and policy, rather than strict > enforcement, which isn't idea. > > A related service could possibly be set up, so instead of pushing directly > to the mirrors, uploading to dist would trigger signing? We'd also probably > need to address uploading to the Maven Central staging repositories. For > Maven projects, a maven plugin could easily be written which uses this > service and replaces the maven-gpg-plugin. It could also be done on deploy, > en route to the staging repositories. > > An alternative implementation would be that this service would escrow keys > not just for ASF-wide, but also for
