There was a jar signing thread on [EMAIL PROTECTED] (http://mail-
archives.apache.org/mod_mbox/incubator-general/200708.mbox/%
[EMAIL PROTECTED]) already in progress about
digitally signing jars. The initial post has linked to describe
how the Eclipse Foundation digitally signs their jars. To do it
right, it would appear to require a purchased code signing key from
Thwate, Verisign or similar which would cost several hundred
dollars a year and secured hardware and a process to ensure that
the code signing key is only applied to legitimate code. The
thread didn't seem to reach any conclusions, but just seemed to die
out.
Technically you do not need to purchase a code signing certificate.
I already have a Thawte email certificate that allows me to sign code
and it appears as signed by 'Paul Smith <[EMAIL PROTECTED]>" (see
[1]). On initial download it allows the users to choose whether to
trust this certificate or not by displaying the details. It's never
forced on the users. If the user chooses no, the download stops.
This is what happens with Chainsaw via Webstart now.
Whether this is acceptable to the ASF is entirely up for discussion.
I personally don't see this signing mechanism any different than the
PGP one; at the end of the day the user needs to decide if user "Bob"
encoded in the KEYS is acceptable to them. The Web of Trust of the
PGP is nice, but then so is the Thawte (and others) Certificate
Authority chain. Thawte has it's own WOT too (see [2]), I consider
them 2 different ways of doing the same thing.
It is straight forward and free to gain a Thawte Freemail
certificate, which only displays the email address in the
certificate. To be able to add your personal name into the
certificate requires at least 2 notaries to verify your identity. I
went through this process about 18 months ago and managed to find 2
people verified by Thawte and registered notaries who performed this
service for free (I bought them coffee for their troubles). I found
this process pretty painless really, only Thawte's own website being
a little weird to work through.
I don't need to be the signer, it could be anyone from the PMC. I'm
simply the one that's setup at the moment.
Paul
[1] http://www.thawte.com/secure-email/personal-email-certificates/
index.html?click=main-nav-products-email
[2]http://www.google.com/search?q=thawte%20web%20of%20trust
