Chainsaw is actually the immediate need for the code signing cert. Scott On Aug 29, 2014 9:19 PM, "Ralph Goers" <[email protected]> wrote:
> Why can’t it be used to sign release artifacts? > > Ralph > > On Aug 29, 2014, at 7:55 PM, Matt Sicker <[email protected]> wrote: > > Oh that's definitely a different signing key. That's supposed to make it > possible for Log4j to be embedded in Java WebStart and Applet programs that > all rely on code signing for general security. I believe the idea is that > the code can be signed by some build server during release to prevent > leaking our key. > > > On 29 August 2014 21:51, Ralph Goers <[email protected]> wrote: > >> What is the story with the ASF code signing key. Matt, I noticed that you >> added Log4j 2 to the Jira issue. >> >> Ralph >> >> On Aug 29, 2014, at 7:31 PM, [email protected] wrote: >> >> > Note correct signing key for distribution. >> > >> > >> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo >> > Commit: >> http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855 >> > Tree: >> http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855 >> > Diff: >> http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855 >> > >> > Branch: refs/heads/master >> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e >> > Parents: a2c18b6 >> > Author: Matt Sicker <[email protected]> >> > Authored: Fri Aug 29 18:56:46 2014 -0500 >> > Committer: Matt Sicker <[email protected]> >> > Committed: Fri Aug 29 18:56:46 2014 -0500 >> > >> > ---------------------------------------------------------------------- >> > src/site/apt/download.apt.vm | 5 +++-- >> > 1 file changed, 3 insertions(+), 2 deletions(-) >> > ---------------------------------------------------------------------- >> > >> > >> > >> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm >> > ---------------------------------------------------------------------- >> > diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm >> > index dea8abc..e4b2f26 100644 >> > --- a/src/site/apt/download.apt.vm >> > +++ b/src/site/apt/download.apt.vm >> > @@ -54,7 +54,8 @@ Download Apache Log4j 2 >> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc >> > --- >> > >> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA >> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA >> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker >> (FA1C814D) >> > >> > Alternatively, you can verify the MD5 signature on the files. A >> unix program called md5 or md5sum is included >> > in many unix distributions. >> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar >> > log4j-core-${Log4jReleaseVersion}.jar >> > --- >> > >> > - You can do this from the command line or a manifest file. >> > \ No newline at end of file >> > + You can do this from the command line or a manifest file. >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > > -- > Matt Sicker <[email protected]> > > >
