-- replying to -- From: jan i [mailto:[email protected]] Sent: Thursday, December 25, 2014 07:51 To: dev Subject: Digital signing release for windows.
[ ... ] My suggestion is simple, lets rerun AOO 4.1 for windows, sign it digitally, and then release it as a patch version. I am happy to help, especially with the signing, but to help I need access to the certificate given to the PMC, and somebody who can make a release windows build. <orcmid> The official key is not needed in order to confirm a successful signing. Demonstrating a successful signing with any verifiable key is good enough to establish that the end-to-end procedure works. Then take the same originals back through the ASF signing process. A shortcut, which I am puzzling about is to not even do a new build but use the artifacts that are already in the Apache 4.1.1 distribution. (It does mean the cab may have to be opened, and I am not certain how that works for signing). This has the advantage of preserving the provenance of the distribution, because apart from signing the artifacts are identical. It might be too difficult to interrupt the process to just use the end-stage that puts together the (now-signed) cab contents and the installer package. In that case, it might be good enough to experiment with on a single language but not for a new binary release. But if we are certain there is a working process but new builds are needed, waiting for 4.1.1 seems like a good idea. One can then verify the process using a developer build before going to rc01. Also, I think it is still necessary to see what the problem was with having a signed installer (actually, a setup self-extractor the way AOO does it) that creates a setup directory of unsigned artifacts. The Windows 8[.1] Problem seems odd. If it doesn't complain when the 4.1.1 extraction is done with an unsigned installer, I can't quite get the problem. It may be that the way I do installs avoids that problem and that might be useful to understand. (I don't let the installer crap on my desktop, and I have it use a share on a file server instead, and setup runs from there just fine on 8.1 and Windows 10 Technical Preview.) </orcmid> Steps are simple: 1) make a full build, pick all DLL, JAR and EXE from the object tree 2) Sign them, or let me help with that 3) Overwrite the object tree with the signed artifacts 4) run build but on postprocess (generate new setup package) 5) Sign the installer or let me help with that 6) Upload and start vote 7) Upload to dist and be happy. [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
