Open-source signing infrastructure

[dblock]

Is your feature request related to a problem? Please describe.
We've developed a service that does signing. Open-source it.

[peterzhuamazon]

We will not open source the signer client for now.

[dblock]

Is this final or is it a matter of time? If it's the former, I'd like to understand here what the plan for publicly reproducible signing infrastructure is, and if it's the latter, I'd like to reopen the issue.

[peterzhuamazon]

Is this final or is it a matter of time? If it's the former, I'd like to understand here what the plan for publicly reproducible signing infrastructure is, and if it's the latter, I'd like to reopen the issue.

@peternied could you explain more in details to @dblock I think our decision is this is reproducible with gpg and it is not necessarily that we would want to open source the internal code to run the signing process.

[dblock]

Is this final or is it a matter of time? If it's the former, I'd like to understand here what the plan for publicly reproducible signing infrastructure is, and if it's the latter, I'd like to reopen the issue.

@peternied could you explain more in details to @dblock I think our decision is this is reproducible with gpg and it is not necessarily that we would want to open source the internal code to run the signing process.

That's fine, I am looking for an issue for replacing the existing signing infrastructure with gpg, then.

[peternied]

For our maven artifacts this is relatively straight forward using GPG. We can make this process more transparent - do you have an example of what you would to align towards?

Our other platforms like Mac/Windows signing processes are Amazon internal and would require considerable work to make accessible.