On 15/09/17 16:40, Christopher Schultz wrote: > Mark, > > On 9/13/17 2:09 PM, Mark Thomas wrote: >> FYI but mainly for anyone doing a release, the code signing service is >> available again. The account has been renewed for another year and we >> (Tomcat) have enough credits to keep us going for a while. I'll keep an >> eye on our credit usage and get our allocation increased if we need more. > > IIRC, Symantec was the vendor providing code-signing certificates.
Correct. > Are those certificates impacted by the impending dis-trusting of > Symantec-issued TLS certificates? > > DigiCert is purchasing (has purchased?) Symantec's various CAs, and that > also might have an effect on (a) the trust of our > certificates/signatures and (b) the future of the code-signing > arrangement with the new vendor. I haven't dug into the detail but my understanding is that the code signing service will transition to DigiCert. I'm expecting minimal impact for us. Particularly since no-one has even questioned the fact that the last handful of Windows Installer releases have been unsigned. > I suspect DigiCert will be happy to continue to provide ASF with > low/no-cost code-signing credits, but it might be nice to have that > clarified sooner rather than later. As one of the ASF admins of the code signing service I've had a couple of emails assuring of a smooth transition so I'm fairly confident. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org