incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: apache binary distributions
Date Thu, 20 Aug 2015 16:35:52 GMT
On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <> wrote:

> On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <>
> wrote:
> > There are some special things here we do have absolute control over. If a
> > project wants to provide the 'official' build, why not start signing
> the .jar?
> Good idea, but to be practical to users, the certificate for the signing
> needs to be part of the certificate chain of the JVM (otherwise those would
> be needed to be installed on every host). I don't know how willing infra
> would be to support PKI at ASF for this, otherwise many projects will be
> limited due to cost (I could be wrong by now and that there are totally
> free CAs)

That infrastructure now exists through code signing service by Symantec.
One PMC member (or more) gets their own unique log in, pushes the artifact
(.jar, in this example) to the service and is returned a signed artifact
reflecting the ASF providence.

The interesting thing is the actual cert is unique to the object, so if it
is discovered that it was compromised, the signature can be revoked (good
luck having sig revocations active at boot time, but otherwise this is
quite useful.) And because there is a history, we know who precisely
requested each object signing.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message