So how does this sound:
- We don't keep the .p12 file in the repo. - We ask developers who want to work with the source code to generate a .p12 file (using FB or similar tools) for themselves - They should not check it in (add *.p12 to svn ignore?) - The release managers would create a .p12 certificate(and a pass code) as the official one. This will not be checked in. - A release build is created using the source code + .p12 + pass code combination. - Whoever is the current release manager gets the .p12 certificate + pass code from the previous release manager to make a release build. - It is up to the release mangers to keep the .p12 and pass code secure. Note: We may need two release managers for every release - one for windows and one for Mac since air apps for a platform need to built on the same platform. P.S.: I have a thread going on in infra-dev to get an official Apache.org or Apache Flex AIR app signing certificate. You can follow it here: [1] Thanks, Om [1] http://markmail.org/message/5te7ygbwzxulhpyj On Wed, Aug 15, 2012 at 2:25 PM, Clint Modien <cmod...@gmail.com> wrote: > Anyone could sign code with the cert if they know/crack the password for > the private key. > > I would keep all certs out of the repo in the interest of security and > keep them in a safe place and only grant access to people who create > distribution packages. > > If you're doing dev… you can generate your own cert. > > On Aug 15, 2012, at 1:05 PM, Om wrote: > > >> > >> I fixed all the issues identified by the RAT check except > certificate.p12. > >> That's a binary file and I don't think it can go in the source > >> distribution. > >> > >> I'll leave that to Om and/or Erik to figure out. > >> > >> > > It makes sense for any developer who wants to work on it to create their > > own certificate. Flash Builder makes it very seamless. > > > > But, what about official releases? We need to have and maintain one > > certificate so that the app upgrades on client's machines go smoothly. > > > > .p12 files can be created, modified etc. using a variety of tools like > > Flash Builder, OpenSSL, etc. Can we make an exception for p12 files and > > keep it in the source? > > > > Thanks, > > Om > >
