Re: "AR1" testing

Tue, 18 Dec 2007 18:00:17 -0800 

Hi Frank,

On Dec 18, 2007, at 5:22 PM, Frank Barnaby wrote:



On Dec 18, 2007, at 19:01, Craig L Russell wrote:
4. The release bundles need to be signed with a release-signing GPG key. See http://wiki.apache.org/jdo/KeysAtApache
I've been working on this task. I had planned on using GNU Privacy Guard (GPG) to sign the bundles, but building GPG and its dependent libraries proved to be a problem on Solaris (libassuan in particular), so I'm considering jarsigner and keytool, which are included in the JDK and readily accessible to all. Please let me know if there's any reason why I should avoid jarsigner or, alternatively, why I should strive to utilize GPG.
The jarsigner is a different functionality from GPG signatures. If I'm not mistaken, jarsigner allows you to sign jars, while GPG allows you to sign binary files.
While jarsigner supposedly allows one to sign zip files as well as jars, I suppose we might need to sign other binary types at some point.
IIUC, signing a jar file (or a jar in zip format) means that the contents are locked. This is a different semantic from what we're trying to achieve by signing distributions. The distros are signed to validate that they are intact and created by the signer even though they are downloaded from untrusted mirrors.
The GPG tool really does need to be investigated and used to sign Apache releases. GPG keys are cross-signed by other Apache release managers and the keys are part of the Apache web of trust.
I was under the impression that GPG is only a recommendation and not a requirement. I'm certainly not the expert here, so I'm eager to receive opinions from those with experience in this area. I'll try again to GPG running on my end. 




Are you sure there isn't a binary of GPG available for Solaris?
I believe I've found one at http://www.sunfreeware.com, but I need to test it. I'm also a bit hesitant to use GPG from an unknown origin. 

Thanks for your comments, Craig.


You're very welcome.

Craig



Frank





Craig
I plan to post a new set of release-candidate bundles tomorrow, so please post your comments as soon as possible. 



Frank






Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to