Requesting access to the code signing service
The ASF currently uses ssl.com's eSigner to sign JARs and Windows executables.
To gain access to the service, create a Jira ticket with the following information:
- Set the component to
code signing - The name of the PMC requesting the code signing service
- The Apache IDs of the committer(s) who will act as release managers
The infra team will then request the account creation and (after a few e-mails and configuring a OTP token) you will have an account that lets you access the service. Each PMC member must have their own account to access the service.
Release managers can then sign release artifacts via:
- the API using a tool such as Jsign
- the standard Windows tools (signtool.exe / certutil.exe) by installing the eSigner Cloud Key Adapter (CKA)
- ssl.com's Java based CodeSignTool
- the eSigner web interface
For the first three options, the code signing is performed locally (no need to upload large files, just the hashes are passed to the central signing service).
Copyright 2024, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache feather logo are trademarks of The Apache Software Foundation.