Greetings from ye olde Jenkins projecte! My colleague in the Jenkins infra
project Olivier (olblak) has been working on automating our releases and the
issue of signing those releases has been a sticking point. This is especially
challenging for the Mac and Windows packages we distribute, which must be
signed with a certificate from a certificate authority (think Verisign, etc).
Our Linux packages in contrast can be signed with a GPG key we can generate
and distribute ourselves.

This ticket was opened by cra@
(https://github.com/cdfoundation/foundation/issues/10) but I believe there was
some misunderstanding about the specifics about our requirements.

When we tried this ourselves perviously and a certificate authority would _not_
issue us a certificate because "Jenkins" itself was/is not itself a legal
entity. My assumption was that the CDF, as a legitimate legal entity would be
able to broker a valid certificate on our behalf and that could be shoved into
our Azure Key Vault for signing of our releases. As you can see in the ticket,
there's reluctance to do so at the moment.

I'm wondering if any other projects have found a way to sign packages requiring
valid certificates in a way that I might be missing here. For example, if we
just purchased a normal cert for jenkins.io (as an example), and used that as a
code signing certificate, I'm not sure if that works in the Mac/Windows
ecosystem or if a certificate authority would go for it.

If there's not an approach I am be missing, and Dan's comments on the ticket
are correct in that the CDF would not at this time be able to acquire the code
signing certificate, then one of our initial motivations for Jenkins to move in
the foundation direction will have failed, and I'm not entirely certain how
we'll work around it. :-/


Looking forward to some ideas from the smart folks runnin' around here :)



Toodles
--
GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

I would like to add some clarification, while the end goal is to effectively get a code signing certificates, the "tricky" part is to have a "verified" account on one of the many provider that exist in order to get a certificate.

During that account creation they ask various information to verify that the person who create the account really belong to the organization and has the right to proceed.

I think we won't be able to create that account as long as the jenkins trademark is not fully transfered to the Linux Foundation

Olivier

---

gpg --keyserver keys.gnupg.net --recv-key 52210D3D

---

On Thu, Oct 3, 2019, at 6:06 AM, Chris Aniszczyk wrote:

Hey Tyler, I re-opened the issue to do some more investigation on our end, I need a bit more detail on the legal concerns, before we find a creative solution.

Almost all projects go the GPG route (or through some package registry) so this may be a new case.

On Wed, Oct 2, 2019 at 10:20 PM R. Tyler Croy <rtyler@...> wrote:

Greetings from ye olde Jenkins projecte! My colleague in the Jenkins infra

project Olivier (olblak) has been working on automating our releases and the

issue of signing those releases has been a sticking point. This is especially

challenging for the Mac and Windows packages we distribute, which must be

signed with a certificate from a certificate authority (think Verisign, etc).

Our Linux packages in contrast can be signed with a GPG key we can generate

and distribute ourselves.

This ticket was opened by cra@

(https://github.com/cdfoundation/foundation/issues/10) but I believe there was

some misunderstanding about the specifics about our requirements.

When we tried this ourselves perviously and a certificate authority would _not_

issue us a certificate because "Jenkins" itself was/is not itself a legal

entity. My assumption was that the CDF, as a legitimate legal entity would be

able to broker a valid certificate on our behalf and that could be shoved into

our Azure Key Vault for signing of our releases. As you can see in the ticket,

there's reluctance to do so at the moment.

I'm wondering if any other projects have found a way to sign packages requiring

valid certificates in a way that I might be missing here. For example, if we

just purchased a normal cert for jenkins.io (as an example), and used that as a

code signing certificate, I'm not sure if that works in the Mac/Windows

ecosystem or if a certificate authority would go for it.

If there's not an approach I am be missing, and Dan's comments on the ticket

are correct in that the CDF would not at this time be able to acquire the code

signing certificate, then one of our initial motivations for Jenkins to move in

the foundation direction will have failed, and I'm not entirely certain how

we'll work around it. :-/

Looking forward to some ideas from the smart folks runnin' around here :)

Toodles

--

GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

--

Chris Aniszczyk (@cra) | +1-512-961-6719