On Thursday, December 25, 2014, Dennis E. Hamilton <[email protected]> wrote:
> > > -- replying to -- > From: jan i [mailto:[email protected] <javascript:;>] > Sent: Thursday, December 25, 2014 07:51 > To: dev > Subject: Digital signing release for windows. > > [ ... ] > > My suggestion is simple, lets rerun AOO 4.1 for windows, sign it digitally, > and then release it as a patch version. > > I am happy to help, especially with the signing, but to help I need access > to the certificate given to the PMC, and somebody who can make a release > windows build. > > <orcmid> > The official key is not needed in order to confirm a successful signing. > Demonstrating a successful signing with any verifiable key is good > enough to establish that the end-to-end procedure works. Then take the > same originals back through the ASF signing process. which is infra offers test keys, but I was talking about making a release and that requires the official key. I have experimented enough (I started about 6month ago, and was part of the discussions in infra) > > A shortcut, which I am puzzling about is to not even do a new build but > use the artifacts that are already in the Apache 4.1.1 distribution. > (It does mean the cab may have to be opened, and I am not certain how > that works for signing). This has the advantage of preserving the > provenance of the distribution, because apart from signing the artifacts > are identical. with my knowledge this would be far more difficult, > > It might be too difficult to interrupt the process to just use the > end-stage > that puts together the (now-signed) cab contents and the installer > package. you dont interrupt the process, you simply start the build process in the right directory, this is a standard facility of our build system. > > In that case, it might be good enough to experiment with on a single > language > but not for a new binary release. But if we are certain there is a > working > process but new builds are needed, waiting for 4.1.1 seems like a good > idea. > One can then verify the process using a developer build before going to > rc01. The release candidate should only be in a single language, but since we vote on binaries as well The vote should be on all languages we want to release. > > Also, I think it is still necessary to see what the problem was with > having > a signed installer (actually, a setup self-extractor the way AOO does > it) > that creates a setup directory of unsigned artifacts. The Windows 8[.1] > Problem seems odd. If it doesn't complain when the 4.1.1 extraction is > done with an unsigned installer, I can't quite get the problem. It may > be > that the way I do installs avoids that problem and that might be useful > to > understand. (I don't let the installer crap on my desktop, and I have > it > use a share on a file server instead, and setup runs from there just > fine > on 8.1 and Windows 10 Technical Preview.) it has been tried both by myself and mark from tomcat, for 8.1 we need the runtime objects signed, for older versions your idea works well. rgds jan i > </orcmid> > > > > Steps are simple: > 1) make a full build, pick all DLL, JAR and EXE from the object tree > 2) Sign them, or let me help with that > 3) Overwrite the object tree with the signed artifacts > 4) run build but on postprocess (generate new setup package) > 5) Sign the installer or let me help with that > 6) Upload and start vote > 7) Upload to dist and be happy. > > [ ... ] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > <javascript:;> > For additional commands, e-mail: [email protected] > <javascript:;> > > -- Sent from My iPad, sorry for any misspellings.
