Sounds good… strange that Apache doesn't have a code signing process in place already… seems like a pretty common requirement.
On Aug 15, 2012, at 4:30 PM, Om wrote: > So how does this sound: > > > - We don't keep the .p12 file in the repo. > - We ask developers who want to work with the source code to generate a > .p12 file (using FB or similar tools) for themselves > - They should not check it in (add *.p12 to svn ignore?) > - The release managers would create a .p12 certificate(and a pass code) > as the official one. This will not be checked in. > - A release build is created using the source code + .p12 + pass code > combination. > - Whoever is the current release manager gets the .p12 certificate + > pass code from the previous release manager to make a release build. > - It is up to the release mangers to keep the .p12 and pass code > secure. > > Note: We may need two release managers for every release - one for windows > and one for Mac since air apps for a platform need to built on the same > platform. > > P.S.: I have a thread going on in infra-dev to get an official Apache.org > or Apache Flex AIR app signing certificate. You can follow it here: [1]
