How are other projects signing releases?

R. Tyler Croy

Greetings from ye olde Jenkins projecte! My colleague in the Jenkins infra
project Olivier (olblak) has been working on automating our releases and the
issue of signing those releases has been a sticking point. This is especially
challenging for the Mac and Windows packages we distribute, which must be
signed with a certificate from a certificate authority (think Verisign, etc).
Our Linux packages in contrast can be signed with a GPG key we can generate
and distribute ourselves.

This ticket was opened by cra@
( but I believe there was
some misunderstanding about the specifics about our requirements.

When we tried this ourselves perviously and a certificate authority would _not_
issue us a certificate because "Jenkins" itself was/is not itself a legal
entity. My assumption was that the CDF, as a legitimate legal entity would be
able to broker a valid certificate on our behalf and that could be shoved into
our Azure Key Vault for signing of our releases. As you can see in the ticket,
there's reluctance to do so at the moment.

I'm wondering if any other projects have found a way to sign packages requiring
valid certificates in a way that I might be missing here. For example, if we
just purchased a normal cert for (as an example), and used that as a
code signing certificate, I'm not sure if that works in the Mac/Windows
ecosystem or if a certificate authority would go for it.

If there's not an approach I am be missing, and Dan's comments on the ticket
are correct in that the CDF would not at this time be able to acquire the code
signing certificate, then one of our initial motivations for Jenkins to move in
the foundation direction will have failed, and I'm not entirely certain how
we'll work around it. :-/

Looking forward to some ideas from the smart folks runnin' around here :)


GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

Join to automatically receive all group messages.