[Board] OSGeo signing certificates (discussion)

Alex M tech_dev at wildintellect.com
Fri Oct 16 10:31:17 PDT 2015 

Yes it sounds like a little research needs to be done on how to
centralize the key but not necessarily centralize the building (which is
not all in one place, and likely never will be).

Perhaps there's a way to allow a specific set of personal gpg keys to
access a service on an osgeo server that signs the packages.

Thanks,
Alex
SAC Chair


On 10/16/2015 09:46 AM, Even Rouault wrote:
> Le vendredi 16 octobre 2015 18:32:19, Jody Garnett a écrit :
>> Any further discussion, I will hold this thread open for another two hours
>> before making a new motion to the board. Motion is going to be along the
>> lines of approving a yearly dollar figure, rather than exact details.
>>
>> Questions:
>> - The QGIS Officer (listed as Gary Sherman
>> <http://wiki.osgeo.org/wiki/Gary_Sherman>) may be in position to make a
>> better motion on behalf of their team?
>> - Is the SAC committee the correct contact point to store the certificate
>> (say in a password protected svn?). The certificate will need to be
>> available to a *very small* group of individuals who configure build box
>> with the ability to sign an application on behalf of OSGeo.
> 
> I realize this is about the technic and not the principle, but instead of 
> distributing the certificate with risks of accounts/machines that store it to 
> be compromised, wouldn't it make sense to have a single machine where it is 
> stored, and (authorized) people do the signing on it ? 
> 
> It would be bad if the OSGeo certificate was misused, which would require 
> revokating it, etc...
> 
> Some projects use even more advanced mechanism where the people signing 
> binaries don't even have access to the key themselves as far as I understand :
> https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
> 
> 
>> --
>> Jody Garnett
>>
>> On 15 October 2015 at 09:11, Jody Garnett <jody.garnett at gmail.com> wrote:
>>> Today's board meeting had the following agenda topic:
>>>>    - discuss possibility of OSGeo software signing certificates [Anita]
>>>>    (i.e. OSX seems to not allow installation of unsigned software by
>>>>    default --> user needs to change configuration --> signed software
>>>>    would appear more professional. On the QGIS mailing list, we were
>>>>    discussing that we could have a QGIS.org certificate but since QGIS
>>>>    depends on so many other OSGeo tools - which would also have to be
>>>>    signed - it might be more appropriate to have an OSGeo certificate.)
>>>
>>> Moving discussion here to the mailing list, and will make the motion
>>> tomorrow.
>>>
>>> As this is the OSGeo board mailing list I would like to keep the
>>> technical details of signing to a minimum and focus on our role in
>>> supporting the QGIS project.
>>>
>>> We are focused on a very clear question - can OSGeo obtaining a
>>> certificate for use by OSGeo projects. The cost appears to be nominal
>>> (one quote <https://www.digicert.com/code-signing/> is $160/yearly).
>>>
>>> I view this as an appropriate use of the OSGeo branding and well within
>>> our capacity as an organization.
>>> --
>>> Jody Garnett
>

More information about the Board mailing list