[lsb-discuss] Signing packages

[Dan Lopez]

Thanks Mats! This is exactly what I was referring to as a key located
outside of docroot of the web app.

In my SCM experience we used a random key generated from a build (but really
all it has to be is some set of characters in a file), then md5() the digest
of the key + the file or files that need to be signed + IP of the
origination server and you get a uniquely signed release.

Thanks, again for clarification


--
Dan Lopez
Web Development Manager
The Linux Foundation
1796 18th Street, Suite C
San Francisco, CA 94107

+1 703.926.4840
skype: danlopez00
gtalk: danlopez00 at gmail.com
twitter: dan_lopez


On Tue, Jun 30, 2009 at 12:06 PM, Wichmann, Mats D <
mats.d.wichmann at intel.com> wrote:

> Till Kamppeter wrote:
> > Is this also the way how our LSB packages get signed? How do they
> > exactly get signed? Which key do we need to give to the distros then?
> >
> >     Till
>
> LSB packages for release get signed using a key that only exists
> in a closed environment, that's a process that was hashed out
> at some length a year or so ago.  At the moment signing is only done
> by Jeff acting in a release manager capacity; there's copy of
> the key secured in some manner as an escrow that I forget the details
> of in case Jeff were to all off the face of the earth. The key will
> also only be used for a limited period, after which a new one will
> be generated. I don't think this key will be shared with anyone...
> (snapshot packages, due to their very different nature, follow
> an entirely different process, they're signed as part of the
> build process and those keys aren't considered particularly secure).
>
> But signing of printer driver packages is an interesting topic
> that ought to get some thought - Ted? Jeff? Russ?
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/lsb-discuss/attachments/20090630/e24cbafe/attachment-0001.htm