On 22/08/2015 04:37, Niclas Hedhman wrote: > Cool. > I can't find info on "how much" it costs ASF, any pointers before embarking > on 100+ artifact signing spree... ;-)
With my infra hat on... The short answer is 'Don't worry about it and get signing.' The longer answer is that if a project wants to use the signing service then providing and paying for that service is infra's problem. As it happens, the solution we have is such that we are confident we can afford to sign every release of every project if necessary. The cost to the ASF is not per artefact but per 'signing event'. A signing event can consist of any number of artefacts. Note that it is a signing event that gets a unique certificate and a signing event is the smallest thing we can revoke. Typically, it is one signing event per release but there cases where a release needs 2 or 3 signing events. For example, Tomcat signs its Windows installer and uninstaller. Th uninstaller is packaged in the installer so we need one event to sign the uninstaller and then a second to sign the installer package that contains the (now signed) uninstaller. If Tomcat wanted to sign all the JARs we could sign them at the same time we sign the uninstaller (with a little jigging about of the build script) at no extra cost. If a project thought it needed 10s of signing events per release then I suspect there would need to be a conversation to see if that was really the case or if the number could be reduced. For more details see this: http://people.apache.org/~markt/presentations/2015-04-15-Code%20Signing%20at%20the%20ASF.pdf The exact costs are confidential but any ASF Member can look at the quotes (we accepted the second one dated 19-08-2014) in the private foundation repo (look under correspondence then Symantec). I'll be at ApacheCon Core in Budapest if anyone wants to talk face to face about this. Mark > > On Fri, Aug 21, 2015 at 12:35 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > >> On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <nic...@hedhman.org> >> wrote: >> >>> On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <wr...@rowe-clan.net> >>> wrote: >>> >>>> There are some special things here we do have absolute control over. >> If a >>>> project wants to provide the 'official' build, why not start signing >>> the .jar? >>> >>> Good idea, but to be practical to users, the certificate for the signing >>> needs to be part of the certificate chain of the JVM (otherwise those >> would >>> be needed to be installed on every host). I don't know how willing infra >>> would be to support PKI at ASF for this, otherwise many projects will be >>> limited due to cost (I could be wrong by now and that there are totally >>> free CAs) >>> >> >> That infrastructure now exists through code signing service by Symantec. >> One PMC member (or more) gets their own unique log in, pushes the artifact >> (.jar, in this example) to the service and is returned a signed artifact >> reflecting the ASF providence. >> >> The interesting thing is the actual cert is unique to the object, so if it >> is discovered that it was compromised, the signature can be revoked (good >> luck having sig revocations active at boot time, but otherwise this is >> quite useful.) And because there is a history, we know who precisely >> requested each object signing. >> > > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
