Re: Java code signing cert needed

Mon, 21 Oct 2013 14:32:45 -0700 

Hi Scott,
I just read through the discussion and I feel you have not got a reply which we can be satisfied with. If somebody would have said: it's not possible because of $x, ok. But I could not find an information why code signing is not possible on Jira nor did I find any information on the wiki page. 


Also I cannot understand why people are saying you are flaming. I feel 
this was/is a valid request

which was not handled.

I just added a comment on the Jira to back you.

However my first idea was to wait if we receive an answer the next days.


If we do not receive an answer, we can ask Sam in private first if he 
can advise us what to do.



After all I would like to put it into the next board report because this 
issue blocks us. At least
we need an answer if it works in general or if it is not supported at 
all.



As I have understood from your mail it seems that infra can have some 
kind of root certificate
of which we could have a child certificate to sign our software. It 
seems to be similar of what

I have heard with .net applications.


Please let me know if my ideas work for you or if you would like to make 
it somehow different.




On 21 Oct 2013, at 2:46, Scott Deboy wrote:


Now that extras is released (with a re-release imminent), it's time to
turn toward a release of Chainsaw.

Chainsaw can be ran via WebStart, which is the easiest way for people
to start the app - click a link, accept the prompt, and Chainsaw is
running.  Chainsaw's 'current' release is self-signed..a long time
ago.

Java 7U51, to be released January 14, will refuse to load code signed
by a self-signed certificate.

I requested a Java code signing certificate over two years ago via
https://issues.apache.org/jira/browse/INFRA-3991.  It was promptly
closed, and while there was a Wiki page created, nothing has happened
since.

I've reopened the Jira issue, but I think if Infra closes it again or
doesn't offer to help, it's probably time to escalate this.  Is Sam
Ruby still the Chair of Infra?  Should we talk to him?  Send something
to the board?

Two years is way too long to wait for Infra to be responsive...  Other
folks (OpenOffice) also require code signing but probably have more
complicated requirements.  Our Chainsaw build is simple, and Java code
signing is driven by the build.  Infra just has to define their
process for managing the certs and keys.

Let me know what you folks think the appropriate next step is.

Thanks,

Scott



---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB






















					Reply via email to