incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject [board feedback] Signing Java Jars
Date Thu, 30 Aug 2007 06:47:15 GMT
The board took up this subject briefly at our Aug 29th meeting.  Below is
the board's feedback;

Marshall Schor wrote:
> Apache signing, to my knowledge, doesn't require use of a certificate
> authority.

Apache projects post trusted signatories in a KEYS or equivalent file within
the{project}/ distribution location.  You may
also advertise any key within the committers view
by following the instructions on that site for maintaining your .foaf entry.

PGP keys should also be registered at the keyserver, and we ask
you to countersign one anothers' keys at an appropriate event, such as the
ApacheCon key signing events.

However, the board considers any personal signing mechanism to be equivalent
and appropriate.  So signing a tarball with your PGP key, or a jar with your
Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert
would all be equivalent.  Simply document the trusted certificates in the
appropriate distribution/download directories, and preferably include some
short comments or instructions for users to obtain/validate the signatures
of packages they download.

> I'd be interested to learn if others have gone down the Java JAR signing
> path, and if so,
>  - is it considered an OK alternative to Apache signing,

Source tarballs should still be signed with your pgp key.  Binaries can
be signed (as appropriate) with your code signing certificate as necessary.

>  - how did you get a certificate authority to verify ownership of your
> signing key

If this becomes a frequently used approach and proves to be an issue, the
board will take up the issue of considering obtaining a signing authority
certificate and signing individual certificates at some point in the future,
once a specific proposal is brought to us.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message