[lsb-discuss] Signing packages
dlopez at linuxfoundation.org
Tue Jun 30 12:31:23 PDT 2009
Thanks Mats! This is exactly what I was referring to as a key located
outside of docroot of the web app.
In my SCM experience we used a random key generated from a build (but really
all it has to be is some set of characters in a file), then md5() the digest
of the key + the file or files that need to be signed + IP of the
origination server and you get a uniquely signed release.
Thanks, again for clarification
Web Development Manager
The Linux Foundation
1796 18th Street, Suite C
San Francisco, CA 94107
gtalk: danlopez00 at gmail.com
On Tue, Jun 30, 2009 at 12:06 PM, Wichmann, Mats D <
mats.d.wichmann at intel.com> wrote:
> Till Kamppeter wrote:
> > Is this also the way how our LSB packages get signed? How do they
> > exactly get signed? Which key do we need to give to the distros then?
> > Till
> LSB packages for release get signed using a key that only exists
> in a closed environment, that's a process that was hashed out
> at some length a year or so ago. At the moment signing is only done
> by Jeff acting in a release manager capacity; there's copy of
> the key secured in some manner as an escrow that I forget the details
> of in case Jeff were to all off the face of the earth. The key will
> also only be used for a limited period, after which a new one will
> be generated. I don't think this key will be shared with anyone...
> (snapshot packages, due to their very different nature, follow
> an entirely different process, they're signed as part of the
> build process and those keys aren't considered particularly secure).
> But signing of printer driver packages is an interesting topic
> that ought to get some thought - Ted? Jeff? Russ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lsb-discuss