Well it'd be a separate part of signing release artifacts. It would be the built-in JAR signing rather than the GPG signing we currently do. I think you can use both.
On 30 August 2014 11:04, Scott Deboy <[email protected]> wrote: > Chainsaw is actually the immediate need for the code signing cert. > > Scott > On Aug 29, 2014 9:19 PM, "Ralph Goers" <[email protected]> > wrote: > >> Why can’t it be used to sign release artifacts? >> >> Ralph >> >> On Aug 29, 2014, at 7:55 PM, Matt Sicker <[email protected]> wrote: >> >> Oh that's definitely a different signing key. That's supposed to make it >> possible for Log4j to be embedded in Java WebStart and Applet programs that >> all rely on code signing for general security. I believe the idea is that >> the code can be signed by some build server during release to prevent >> leaking our key. >> >> >> On 29 August 2014 21:51, Ralph Goers <[email protected]> wrote: >> >>> What is the story with the ASF code signing key. Matt, I noticed that >>> you added Log4j 2 to the Jira issue. >>> >>> Ralph >>> >>> On Aug 29, 2014, at 7:31 PM, [email protected] wrote: >>> >>> > Note correct signing key for distribution. >>> > >>> > >>> > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo >>> > Commit: >>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855 >>> > Tree: >>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855 >>> > Diff: >>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855 >>> > >>> > Branch: refs/heads/master >>> > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e >>> > Parents: a2c18b6 >>> > Author: Matt Sicker <[email protected]> >>> > Authored: Fri Aug 29 18:56:46 2014 -0500 >>> > Committer: Matt Sicker <[email protected]> >>> > Committed: Fri Aug 29 18:56:46 2014 -0500 >>> > >>> > ---------------------------------------------------------------------- >>> > src/site/apt/download.apt.vm | 5 +++-- >>> > 1 file changed, 3 insertions(+), 2 deletions(-) >>> > ---------------------------------------------------------------------- >>> > >>> > >>> > >>> http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm >>> > ---------------------------------------------------------------------- >>> > diff --git a/src/site/apt/download.apt.vm >>> b/src/site/apt/download.apt.vm >>> > index dea8abc..e4b2f26 100644 >>> > --- a/src/site/apt/download.apt.vm >>> > +++ b/src/site/apt/download.apt.vm >>> > @@ -54,7 +54,8 @@ Download Apache Log4j 2 >>> > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc >>> > --- >>> > >>> > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA >>> > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA >>> > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker >>> (FA1C814D) >>> > >>> > Alternatively, you can verify the MD5 signature on the files. A >>> unix program called md5 or md5sum is included >>> > in many unix distributions. >>> > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar >>> > log4j-core-${Log4jReleaseVersion}.jar >>> > --- >>> > >>> > - You can do this from the command line or a manifest file. >>> > \ No newline at end of file >>> > + You can do this from the command line or a manifest file. >>> > >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> -- >> Matt Sicker <[email protected]> >> >> >> -- Matt Sicker <[email protected]>
