ASF (Apache Software Foundation) is a non-profit organization that supports more than 150 open-source software projects.
Recently, the infrastructure team at ASF announced that its new Code Signing service will be available on platforms such as Java, Windows and Android-based Applications. Any Apache project that needs to sign a code can use this newly launched code signing service.
The Apache projects have shipped source code and the code files are signed with a GPG (GNU Privacy Guard) signature, which allows users and providers to verify code authenticity. For this, users have to either comply their application/software or Apache will provide convenience binaries to some projects. For example, Apache’s project OpenOffice, where users receive binaries, is ready to run.
After conducting several rounds of research, the ASF team chose Symantec’s Secure App service for providing their code signing service. This allows the ASP team to permit access on each Apache project along with each single Project Management Committee (PMC) to have their own certificates for signing. The nature of the code signing certificate issuance will be per project/individual, which allows the revocation of the certificate signature without disrupting any other projects.
How do I Activate the Code Signing Service?
As per the APS team’s report, this new code signing service allows users to sign their code using one of the following ways:
- Web GUI(Graphical User Interface)
- SOAP (Simple Object Access Protocol) API
** Note: ASP has already written the Java Client and an Ant Task for certificate signing, whereas the ‘Maven plug-in is still under development. **
How Does the Code Signing Service Work?
The ASF team has developed this service based on the ‘pay for what you use’ principle. As per which, each PMC must use this service responsibly and as per their requirements. Additionally, the ASF team has granted permission to the Apache projects to access a test environment so that they can ensure that their code signing process is working fine.
Apache’s two worldwide famous projects Commons and Tomcat have successfully tested this code signing service and the ASF team has released the signed artifacts as Apache Commons Daemon 1.0.15 and Tomcat 8.0.14.
** Note: Each Apache project that intends to activate this code signing service must open an Infra JIRA ticket under the Code Signing components. **