Hi Rob, This is a very well written summary of the situation with Code Signing.
The main concern that the ASF has with digitally signing with a singular apache.org certificate for the whole foundation is keeping it in strict control. For some this means physical machines. This is a high bar. I wonder if the ASF would allow AOO to experiment with an OpenOffice.org codesigning certificate? We never thought we would get the wildcard certificate, but hey who knows? Regards, Dave On May 24, 2013, at 2:43 PM, Rob Weir wrote: > And I should mention that pushing the code signing side is probably > premature until we have the build side more solidly automated. > > Every discussion we have had code signing led to the conclusion that > if something is signed it must come from a trusted build traceable to > an SVN revision. So the pre-req for code signing would be to get the > Windows and MacOS builds, in full release form, with all languages, > built via buildbots. > > So moving this forward means moving forward things like: > > https://issues.apache.org/jira/browse/INFRA-4902 > > Then it would be possible to introduce daily builds signed with a > self-signed test certificate. And then, once this is working > end-to-end, we would use a real certificate. > > Code signing is well-understood. It has been part of Windows > development for nearly 20 years. The technology is not novel, hard to > understand or difficult to implement. The main issues are more > procedural than technical. ASF projects have a release procedure that > is decentralized, whereas code signing works most cleanly in a > centralized/controlled release environment. That is why the initial > focus should be on getting the releases spun directly from the > buildbots, traceable to approved source revisions. > > -Rob > > > On Fri, May 24, 2013 at 5:21 PM, Rob Weir <robw...@apache.org> wrote: >> On Fri, May 24, 2013 at 5:01 PM, janI <j...@apache.org> wrote: >>> On 24 May 2013 22:30, Juergen Schmidt <jogischm...@gmail.com> wrote: >>> >>>> >>>> >>>> Am Freitag, 24. Mai 2013 um 19:50 schrieb janI: >>>> >>>>> Hi. >>>>> >>>>> we are not alone in ASF wishing code signing, but we might get run over >>>> (as >>>>> I did today on IRC) if we do not formulate our requirements very clearly. >>>>> >>>>> >>>> >>>> decisions are made on mailing lists, correct? That is what I learned at >>>> Apache, what not happened on a mailing list, is not relevant ;-) >>>> Well it seems that infra is always special. >>>> I tried several times to discuss it on the infra mailing list and I >>>> believe I have described very clearly what we need and how it works today >>>> for OpenOffice if we would have a cert. I also proposed a solution that can >>>> work from my point of view and I started to collect the info on a wiki page >>>> as suggested. >>>> There might be other solutions to do it but I have no in place and nobody >>>> convinced me that my proposed approach can not work. >>>> I agree that it's not easy and I simply have no energy to discuss further >>>> at the moment. I have enough other things to do. >>>> >>>> Juergen >>>>> >>>>> rgds >>>>> jan I. >>>>> >>>>> ---------- Forwarded message ---------- >>>>> From: Scott Deboy <scott.de...@gmail.com> >>>>> Date: 24 May 2013 18:59 >>>>> Subject: Re: Official code signing certificate >>>>> To: infrastructure-...@apache.org >>>>> >>>>> >>>>> Logging Services has a simple requirement: >>>>> >>>>> Have the Chainsaw build artifacts signed by a Java code signing cert >>>>> that is signed by a trusted/root CA so the jars can be downloaded via >>>>> WebStart without the user receiving a warning that the signed jars >>>>> aren't trusted. >>>>> >>>>> The Chainsaw maven script supports signing jars - infra just needs to >>>>> point it to the cert. >>>>> >>>>> I don't know whether or not an ASF-wide Java code signing cert makes >>>>> sense or a Logging Services-specific Java code signing cert makes >>>>> sense. I don't even know if it is possible to have TLP-specific Java >>>>> code signing certs. I defer to infra on that decision. >>>>> >>>>> I believe the code signing service WRowe described will meet our >>>>> requirements. Hopefully infra can spend some time looking at the >>>>> service and see how it can meet their requirements. >>>>> >>>>> Logging Services would like to be a guinea pig for the Java code >>>>> signing service WRowe described above. If there are additional >>>>> details needed by infra, we are happy to provide them. >>>>> >>>>> Thanks, >>>>> >>>>> Scott >>>>> >>>>> On 4/12/13, sebb <seb...@gmail.com> wrote: >>>>>> You are now in http://wiki.apache.org/general/ContributorsGroup >>>>>> >>>>>> >>>>>> On 12 April 2013 17:32, William A. Rowe Jr. <wr...@rowe-clan.net> >>>> wrote: >>>>>> >>>>>>> On Fri, 12 Apr 2013 10:47:29 -0500 >>>>>>> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote: >>>>>>> >>>>>>>> On Tue, 26 Mar 2013 00:56:06 +0200 >>>>>>>> Daniel Shahaf <d...@daniel.shahaf.name> wrote: >>>>>>>> >>>>>>>>> Can you write this all down somewhere? A wiki page maybe >>>>>>>> >>>>>>>> http://wiki.apache.org/general/ASFCodeSigning >>>>>>> >>>>>>> Could one of the page editors please grant WilliamARoweJr some >>>>>>> karma? I'll document the first-draft approach and the Symantec >>>>>>> service-based approach. >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> I am truly sorry that I tried to help....with those 2 replies, I only >>> forwarded a mail for your information, I will for sure forget all about >>> code signing, and leave it to the experts. >>> >>> During the discussion on IRC, a blog from adobe was thrown in, showing just >>> how complicated it can be for full time security profs. to ensure the >>> certificate is not misused. >>> >>> I am sorry I defended our viewpoint, and made this list aware that there >>> are other projects with similar needs. You just managed to kill the >>> messenger, next time this issue is discussed on IRC, I will refer to this >>> thread and keep silent. >>> >> >> Jan, I'm sure we all appreciate your attempt to "defend our >> viewpoint", but you might not be aware that this has been discussed >> repeatedly with Infra, since before you were even involved in the >> project. If there is any frustration expressed it is not with you. >> >> The fact that security is hard or that other projects would benefit >> from code signing -- none of this is news. That doesn't mean that you >> were wrong to discuss it. It just means that you did not have the >> information and background that Juergen and I have from trying to push >> this forward over a much longer period of time. >> >> There is a thread with 93 posts on infra-dev on this topic dating back >> a year. It probably makes sense to read up on what has been discussed >> previously before as background information. >> >> -Rob >> >>> rgds >>> jan I. >>> >>>> >>>>> >>>> >>>> >>>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
