incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: apache binary distributions
Date Sat, 22 Aug 2015 18:40:09 GMT
On 22/08/2015 04:37, Niclas Hedhman wrote:
> Cool.
> I can't find info on "how much" it costs ASF, any pointers before embarking
> on 100+ artifact signing spree... ;-)

With my infra hat on...

The short answer is 'Don't worry about it and get signing.'

The longer answer is that if a project wants to use the signing service
then providing and paying for that service is infra's problem. As it
happens, the solution we have is such that we are confident we can
afford to sign every release of every project if necessary.

The cost to the ASF is not per artefact but per 'signing event'. A
signing event can consist of any number of artefacts.

Note that it is a signing event that gets a unique certificate and a
signing event is the smallest thing we can revoke.

Typically, it is one signing event per release but there cases where a
release needs 2 or 3 signing events. For example, Tomcat signs its
Windows installer and uninstaller. Th uninstaller is packaged in the
installer so we need one event to sign the uninstaller and then a second
to sign the installer package that contains the (now signed)
uninstaller. If Tomcat wanted to sign all the JARs we could sign them at
the same time we sign the uninstaller (with a little jigging about of
the build script) at no extra cost.

If a project thought it needed 10s of signing events per release then I
suspect there would need to be a conversation to see if that was really
the case or if the number could be reduced.

For more details see this:

The exact costs are confidential but any ASF Member can look at the
quotes (we accepted the second one dated 19-08-2014) in the private
foundation repo (look under correspondence then Symantec).

I'll be at ApacheCon Core in Budapest if anyone wants to talk face to
face about this.


> On Fri, Aug 21, 2015 at 12:35 AM, William A Rowe Jr <>
> wrote:
>> On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <>
>> wrote:
>>> On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <>
>>> wrote:
>>>> There are some special things here we do have absolute control over.
>> If a
>>>> project wants to provide the 'official' build, why not start signing
>>> the .jar?
>>> Good idea, but to be practical to users, the certificate for the signing
>>> needs to be part of the certificate chain of the JVM (otherwise those
>> would
>>> be needed to be installed on every host). I don't know how willing infra
>>> would be to support PKI at ASF for this, otherwise many projects will be
>>> limited due to cost (I could be wrong by now and that there are totally
>>> free CAs)
>> That infrastructure now exists through code signing service by Symantec.
>> One PMC member (or more) gets their own unique log in, pushes the artifact
>> (.jar, in this example) to the service and is returned a signed artifact
>> reflecting the ASF providence.
>> The interesting thing is the actual cert is unique to the object, so if it
>> is discovered that it was compromised, the signature can be revoked (good
>> luck having sig revocations active at boot time, but otherwise this is
>> quite useful.) And because there is a history, we know who precisely
>> requested each object signing.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message