---------- Forwarded message ----------
From: Mark Thomas <markt <at> apache.org>
Date: Mon, Nov 17, 2014 at 6:30 AM
Subject: Code signing service now available
To: "infrastructure <at> apache.org
" <infrastructure <at> apache.org
The ASF Infrastructure team is pleased to announce the availability of a
new code signing service for Java, Windows and Android applications.
This service is available to any Apache project to use to sign their
After a great deal of research, we have chosen Symantec's Secure App
Service offering to provide code signing service. This allows us to
granularly permit access; and each PMC will have their own
certificate(s) for signing. The per-project nature of certificate
issuance allows us to revoke a signature without disrupting other projects.
This service will permit projects to sign artifacts either via a web GUI
or a SOAP API. In addition a Java client and an ant task for signing
have been written and a maven plugin is under development.
This service results in a 'pay for what you use' scenario, so PMCs are
asked to use the service responsibly. To that end, projects will have
access to a test environment to ensure that they have their process
working correctly before consuming actual credits.
Thus far, we've had two projects who have helped testing this and
working out process for which we are very grateful. Those projects,
Commons and Tomcat, have successfully released signed artifacts
recently. (Commons Daemon 1.0.15 and Tomcat 8.0.15)
Projects that wish to use this service should open an Infra JIRA ticket
under the Codesigning component.
If you have any questions about this new service then feel free to ask
them on the infrastructure mailing list. This week is also an
opportunity to discuss this new service face-to-face with the
Infrastructure Team at ApacheCon EU. Come along to one of the infra
presentations or find one of us during one of the breaks.
on behalf of the ASF Infrastructure Team