On Jul 17, 2012, at 8:18 PM, Justin Mclean wrote: > Hi, > >> The recommendation is to sign this binary convenience package in the same >> way as the binary packages are signed - as pgp detached signature. You can >> follow the digital signing discussions on infrastructure-dev in either the >> archives or by joining the list. > > As AIR app include their own signing process wouldn't it be simpler to just > sign the application once rather than twice? If we only sign the package as > above we may want to consider the warning message (basically states that the > application is from an unknown and untrusted source) that is shown when an > AIR app is installed for the first time - the normal Apache signing process > won't change this warning.
Totally correct. The trouble is that The ASF is just determining whether and how it will provide signing services with apache.org credentials to projects. This is happening slowly on infrastructure-dev. This project will need to instruct users on how to check a PGP signature for the source and binary release artifacts on the donwload page so it is not too much more to also ask that they check this artifact if they use it. (Is someone working on the download page?) (Totally agree that a digital signing certificate is a technically better solution.) You could ask general@i.a.o about third party signing of this artifact and what that should mean for where it should be hosted. Regards, Dave > > Thanks, > Justin
