On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <nic...@hedhman.org> wrote:
> On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > There are some special things here we do have absolute control over. If a > > project wants to provide the 'official' build, why not start signing > the .jar? > > Good idea, but to be practical to users, the certificate for the signing > needs to be part of the certificate chain of the JVM (otherwise those would > be needed to be installed on every host). I don't know how willing infra > would be to support PKI at ASF for this, otherwise many projects will be > limited due to cost (I could be wrong by now and that there are totally > free CAs) > That infrastructure now exists through code signing service by Symantec. One PMC member (or more) gets their own unique log in, pushes the artifact (.jar, in this example) to the service and is returned a signed artifact reflecting the ASF providence. The interesting thing is the actual cert is unique to the object, so if it is discovered that it was compromised, the signature can be revoked (good luck having sig revocations active at boot time, but otherwise this is quite useful.) And because there is a history, we know who precisely requested each object signing.
