[Signing] New component for code signing

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Signing] New component for code signing

Mark Thomas
All,

As you may know, the ASF has been using a code signing service for a
number of years provided by Symantec. We use it to sign Commons Daemon
Windows binaries.

The code signing service has a web based GUI and a SOAP based API.
Tomcat has written an Ant task to use the SOAP API and Sling has taken
this used and used it as the basis for a Maven plug-in.

Currently, the Ant task is hosted within the Tomcat codebase and the
Maven plug-in within Sling. Both communities would like to move this to
a better home where it can more easily be re-used by other Apache
projects and other organisations using Symantec's code signing service.

After some thought and discussion, we (Robert Munteanu and I) would like
to propose this code signing component as a new component at Commons.
Our reasons for this are as follows:

- The code is written in Java
- It is a relatively small component
- It is a utility likely to be of interest to multiple Apache projects
- If it is going to be re-used across multiple projects, it needs to be
  formally released and that requires a PMC

If accepted the plan would be:
- commit the original Tomcat code for the Ant task
- refactor it to allow re-use of code common to the Ant task and Maven
  plug-in
- add the Maven plug-in
- release it as a single JAR that provided both the Ant task and the
  Maven plug-in
- Ongoing review and maintenance (there are a couple of areas that could
  benefit from some improvement)

Thoughts? Comments?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Benedikt Ritter-4
Hello Mark,

+1 In my opinion this is exactly what Commons should be doing.

Regards,
Benedikt

Mark Thomas <[hidden email]> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:

> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We use it to sign Commons Daemon
> Windows binaries.
>
> The code signing service has a web based GUI and a SOAP based API.
> Tomcat has written an Ant task to use the SOAP API and Sling has taken
> this used and used it as the basis for a Maven plug-in.
>
> Currently, the Ant task is hosted within the Tomcat codebase and the
> Maven plug-in within Sling. Both communities would like to move this to
> a better home where it can more easily be re-used by other Apache
> projects and other organisations using Symantec's code signing service.
>
> After some thought and discussion, we (Robert Munteanu and I) would like
> to propose this code signing component as a new component at Commons.
> Our reasons for this are as follows:
>
> - The code is written in Java
> - It is a relatively small component
> - It is a utility likely to be of interest to multiple Apache projects
> - If it is going to be re-used across multiple projects, it needs to be
>   formally released and that requires a PMC
>
> If accepted the plan would be:
> - commit the original Tomcat code for the Ant task
> - refactor it to allow re-use of code common to the Ant task and Maven
>   plug-in
> - add the Maven plug-in
> - release it as a single JAR that provided both the Ant task and the
>   Maven plug-in
> - Ongoing review and maintenance (there are a couple of areas that could
>   benefit from some improvement)
>
> Thoughts? Comments?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

garydgregory
+1

Gary

On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <[hidden email]> wrote:

> Hello Mark,
>
> +1 In my opinion this is exactly what Commons should be doing.
>
> Regards,
> Benedikt
>
> Mark Thomas <[hidden email]> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> >   formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> >   plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> >   Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> >   benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Bernd Eckenfels
+1  - and I would expect we also see a Server-side component.

BTW: Eclipse also has some infrastructure for this (we use a modified Version with a PHP backend on-prem)

http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/README.md

Gruss
Bernd
--
http://bernd.eckenfels.net

Von: Gary Gregory
Gesendet: Mittwoch, 24. Januar 2018 22:05
An: Commons Developers List
Betreff: Re: [Signing] New component for code signing

+1

Gary

On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <[hidden email]> wrote:

> Hello Mark,
>
> +1 In my opinion this is exactly what Commons should be doing.
>
> Regards,
> Benedikt
>
> Mark Thomas <[hidden email]> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> >   formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> >   plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> >   Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> >   benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Hasan Diwan
In reply to this post by Mark Thomas
+1

On 22 January 2018 at 22:33, Mark Thomas <[hidden email]> wrote:

> All,
>
> As you may know, the ASF has been using a code signing service for a
> number of years provided by Symantec. We use it to sign Commons Daemon
> Windows binaries.
>
> The code signing service has a web based GUI and a SOAP based API.
> Tomcat has written an Ant task to use the SOAP API and Sling has taken
> this used and used it as the basis for a Maven plug-in.
>
> Currently, the Ant task is hosted within the Tomcat codebase and the
> Maven plug-in within Sling. Both communities would like to move this to
> a better home where it can more easily be re-used by other Apache
> projects and other organisations using Symantec's code signing service.
>
> After some thought and discussion, we (Robert Munteanu and I) would like
> to propose this code signing component as a new component at Commons.
> Our reasons for this are as follows:
>
> - The code is written in Java
> - It is a relatively small component
> - It is a utility likely to be of interest to multiple Apache projects
> - If it is going to be re-used across multiple projects, it needs to be
>   formally released and that requires a PMC
>
> If accepted the plan would be:
> - commit the original Tomcat code for the Ant task
> - refactor it to allow re-use of code common to the Ant task and Maven
>   plug-in
> - add the Maven plug-in
> - release it as a single JAR that provided both the Ant task and the
>   Maven plug-in
> - Ongoing review and maintenance (there are a couple of areas that could
>   benefit from some improvement)
>
> Thoughts? Comments?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
OpenPGP:
https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using
http://bit.ly/hd1ScheduleRequest.
Si vous voudrais faire connnaisance, allez a
http://bit.ly/hd1ScheduleRequest.

<https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1>Sent
from my mobile device
Envoye de mon portable
Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Matt Sicker
+1 (non-binding)

I'd find such a plugin useful for Apache Chainsaw in the future. Any other
Java GUI apps at Apache could benefit as well.

On 24 January 2018 at 17:19, Hasan Diwan <[hidden email]> wrote:

> +1
>
> On 22 January 2018 at 22:33, Mark Thomas <[hidden email]> wrote:
>
> > All,
> >
> > As you may know, the ASF has been using a code signing service for a
> > number of years provided by Symantec. We use it to sign Commons Daemon
> > Windows binaries.
> >
> > The code signing service has a web based GUI and a SOAP based API.
> > Tomcat has written an Ant task to use the SOAP API and Sling has taken
> > this used and used it as the basis for a Maven plug-in.
> >
> > Currently, the Ant task is hosted within the Tomcat codebase and the
> > Maven plug-in within Sling. Both communities would like to move this to
> > a better home where it can more easily be re-used by other Apache
> > projects and other organisations using Symantec's code signing service.
> >
> > After some thought and discussion, we (Robert Munteanu and I) would like
> > to propose this code signing component as a new component at Commons.
> > Our reasons for this are as follows:
> >
> > - The code is written in Java
> > - It is a relatively small component
> > - It is a utility likely to be of interest to multiple Apache projects
> > - If it is going to be re-used across multiple projects, it needs to be
> >   formally released and that requires a PMC
> >
> > If accepted the plan would be:
> > - commit the original Tomcat code for the Ant task
> > - refactor it to allow re-use of code common to the Ant task and Maven
> >   plug-in
> > - add the Maven plug-in
> > - release it as a single JAR that provided both the Ant task and the
> >   Maven plug-in
> > - Ongoing review and maintenance (there are a couple of areas that could
> >   benefit from some improvement)
> >
> > Thoughts? Comments?
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> --
> OpenPGP:
> https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
> If you wish to request my time, please do so using
> http://bit.ly/hd1ScheduleRequest.
> Si vous voudrais faire connnaisance, allez a
> http://bit.ly/hd1ScheduleRequest.
>
> <https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
> >Sent
> from my mobile device
> Envoye de mon portable
>



--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Rob Tompkins
In reply to this post by garydgregory
+1

> On Jan 24, 2018, at 4:05 PM, Gary Gregory <[hidden email]> wrote:
>
> +1
>
> Gary
>
>> On Wed, Jan 24, 2018 at 1:35 AM, Benedikt Ritter <[hidden email]> wrote:
>>
>> Hello Mark,
>>
>> +1 In my opinion this is exactly what Commons should be doing.
>>
>> Regards,
>> Benedikt
>>
>> Mark Thomas <[hidden email]> schrieb am Di., 23. Jan. 2018 um 07:34 Uhr:
>>
>>> All,
>>>
>>> As you may know, the ASF has been using a code signing service for a
>>> number of years provided by Symantec. We use it to sign Commons Daemon
>>> Windows binaries.
>>>
>>> The code signing service has a web based GUI and a SOAP based API.
>>> Tomcat has written an Ant task to use the SOAP API and Sling has taken
>>> this used and used it as the basis for a Maven plug-in.
>>>
>>> Currently, the Ant task is hosted within the Tomcat codebase and the
>>> Maven plug-in within Sling. Both communities would like to move this to
>>> a better home where it can more easily be re-used by other Apache
>>> projects and other organisations using Symantec's code signing service.
>>>
>>> After some thought and discussion, we (Robert Munteanu and I) would like
>>> to propose this code signing component as a new component at Commons.
>>> Our reasons for this are as follows:
>>>
>>> - The code is written in Java
>>> - It is a relatively small component
>>> - It is a utility likely to be of interest to multiple Apache projects
>>> - If it is going to be re-used across multiple projects, it needs to be
>>>  formally released and that requires a PMC
>>>
>>> If accepted the plan would be:
>>> - commit the original Tomcat code for the Ant task
>>> - refactor it to allow re-use of code common to the Ant task and Maven
>>>  plug-in
>>> - add the Maven plug-in
>>> - release it as a single JAR that provided both the Ant task and the
>>>  Maven plug-in
>>> - Ongoing review and maintenance (there are a couple of areas that could
>>>  benefit from some improvement)
>>>
>>> Thoughts? Comments?
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Robert Munteanu
In reply to this post by Bernd Eckenfels
Hi Bernd,

On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> +1  - and I would expect we also see a Server-side component.
>
> BTW: Eclipse also has some infrastructure for this (we use a modified
> Version with a PHP backend on-prem)
>
> http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/R
> EADME.md

For reference, the server-side part is provided and hosted by Symantec,
so there are no immediate plans to add a server-side component.

Thanks,

Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [Signing] New component for code signing

Bernd Eckenfels
Well, there are plans by me. I would not invest time in a project nobody else can use…

Maybe there can be some consensus on a common protocol.

Gruss
Bernd

Von: Robert Munteanu
Gesendet: Dienstag, 30. Januar 2018 11:21
An: Commons Developers List
Betreff: Re: [Signing] New component for code signing

Hi Bernd,

On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> +1  - and I would expect we also see a Server-side component.
>
> BTW: Eclipse also has some infrastructure for this (we use a modified
> Version with a PHP backend on-prem)
>
> http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/R
> EADME.md

For reference, the server-side part is provided and hosted by Symantec,
so there are no immediate plans to add a server-side component.

Thanks,

Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Robert Munteanu
On Tue, 2018-01-30 at 15:57 +0100, Bernd Eckenfels wrote:
> Well, there are plans by me. I would not invest time in a project
> nobody else can use…
>
> Maybe there can be some consensus on a common protocol.

Ah, sorry - I thought you meant the plans for this particular
submission.

There can be of course plans for server-side code signing components.

Thanks,

Robert

>
> Gruss
> Bernd
>
> Von: Robert Munteanu
> Gesendet: Dienstag, 30. Januar 2018 11:21
> An: Commons Developers List
> Betreff: Re: [Signing] New component for code signing
>
> Hi Bernd,
>
> On Wed, 2018-01-24 at 22:26 +0100, Bernd Eckenfels wrote:
> > +1  - and I would expect we also see a Server-side component.
> >
> > BTW: Eclipse also has some infrastructure for this (we use a
> > modified
> > Version with a PHP backend on-prem)
> >
> > http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins
> > /R
> > EADME.md
>
> For reference, the server-side part is provided and hosted by
> Symantec,
> so there are no immediate plans to add a server-side component.
>
> Thanks,
>
> Robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Emmanuel Bourg-3
In reply to this post by Mark Thomas
Le 23/01/2018 à 07:33, Mark Thomas a écrit :

> Thoughts? Comments?

+1

I might even be able to contribute some elements I developed for my
jsign project [1]. jsign is able to sign Windows executables but using a
local signing certificate or a PKCS#11 token. It comes with an Ant task,
a Maven plugin, a Gradle plugin and also a command line tool.

Will the scope be limited to the Symantec signing service?

Emmanuel Bourg

[1] https://ebourg.github.io/jsign/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Mark Thomas
On 01/02/18 22:08, Emmanuel Bourg wrote:

> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>
>> Thoughts? Comments?
>
> +1
>
> I might even be able to contribute some elements I developed for my
> jsign project [1]. jsign is able to sign Windows executables but using a
> local signing certificate or a PKCS#11 token. It comes with an Ant task,
> a Maven plugin, a Gradle plugin and also a command line tool.
>
> Will the scope be limited to the Symantec signing service?

I see no reason to limit the scope that way. There might be some
opportunities to re-use code.

There looks to be general agreement that this proposal is a good idea so
I'll start a formal VOTE shortly - probably tomorrow now

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Signing] New component for code signing

Rob Tompkins


> On Feb 1, 2018, at 5:28 PM, Mark Thomas <[hidden email]> wrote:
>
>> On 01/02/18 22:08, Emmanuel Bourg wrote:
>>> Le 23/01/2018 à 07:33, Mark Thomas a écrit :
>>>
>>> Thoughts? Comments?
>>
>> +1

+1

>>
>> I might even be able to contribute some elements I developed for my
>> jsign project [1]. jsign is able to sign Windows executables but using a
>> local signing certificate or a PKCS#11 token. It comes with an Ant task,
>> a Maven plugin, a Gradle plugin and also a command line tool.
>>
>> Will the scope be limited to the Symantec signing service?
>
> I see no reason to limit the scope that way. There might be some
> opportunities to re-use code.
>
> There looks to be general agreement that this proposal is a good idea so
> I'll start a formal VOTE shortly - probably tomorrow now
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]