[Board] OSGeo signing certificates (discussion)

Even Rouault even.rouault at spatialys.com
Fri Oct 16 09:46:50 PDT 2015 

Le vendredi 16 octobre 2015 18:32:19, Jody Garnett a écrit :
> Any further discussion, I will hold this thread open for another two hours
> before making a new motion to the board. Motion is going to be along the
> lines of approving a yearly dollar figure, rather than exact details.
> 
> Questions:
> - The QGIS Officer (listed as Gary Sherman
> <http://wiki.osgeo.org/wiki/Gary_Sherman>) may be in position to make a
> better motion on behalf of their team?
> - Is the SAC committee the correct contact point to store the certificate
> (say in a password protected svn?). The certificate will need to be
> available to a *very small* group of individuals who configure build box
> with the ability to sign an application on behalf of OSGeo.

I realize this is about the technic and not the principle, but instead of 
distributing the certificate with risks of accounts/machines that store it to 
be compromised, wouldn't it make sense to have a single machine where it is 
stored, and (authorized) people do the signing on it ? 

It would be bad if the OSGeo certificate was misused, which would require 
revokating it, etc...

Some projects use even more advanced mechanism where the people signing 
binaries don't even have access to the key themselves as far as I understand :
https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer


> --
> Jody Garnett
> 
> On 15 October 2015 at 09:11, Jody Garnett <jody.garnett at gmail.com> wrote:
> > Today's board meeting had the following agenda topic:
> >>    - discuss possibility of OSGeo software signing certificates [Anita]
> >>    (i.e. OSX seems to not allow installation of unsigned software by
> >>    default --> user needs to change configuration --> signed software
> >>    would appear more professional. On the QGIS mailing list, we were
> >>    discussing that we could have a QGIS.org certificate but since QGIS
> >>    depends on so many other OSGeo tools - which would also have to be
> >>    signed - it might be more appropriate to have an OSGeo certificate.)
> > 
> > Moving discussion here to the mailing list, and will make the motion
> > tomorrow.
> > 
> > As this is the OSGeo board mailing list I would like to keep the
> > technical details of signing to a minimum and focus on our role in
> > supporting the QGIS project.
> > 
> > We are focused on a very clear question - can OSGeo obtaining a
> > certificate for use by OSGeo projects. The cost appears to be nominal
> > (one quote <https://www.digicert.com/code-signing/> is $160/yearly).
> > 
> > I view this as an appropriate use of the OSGeo branding and well within
> > our capacity as an organization.
> > --
> > Jody Garnett

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com

More information about the Board mailing list