2014-10-09 20:10 GMT+04:00 <ma...@apache.org>: > Author: markt > Date: Thu Oct 9 16:10:57 2014 > New Revision: 1630526 > > URL: http://svn.apache.org/r1630526 > Log: > Sign the uninstaller as well as the installer > > Modified: > tomcat/trunk/build.xml > tomcat/trunk/res/tomcat.nsi > tomcat/trunk/webapps/docs/changelog.xml > > Modified: tomcat/trunk/build.xml > URL: > http://svn.apache.org/viewvc/tomcat/trunk/build.xml?rev=1630526&r1=1630525&r2=1630526&view=diff > ============================================================================== > --- tomcat/trunk/build.xml (original) > +++ tomcat/trunk/build.xml Thu Oct 9 16:10:57 2014
1. It shall be possible to build an (unsigned) installer when code signing tool is not available. Maybe it already works - I have not tested. The build at Buidbot is currently broken, but in a different place than where I expected. It says: [exec] !system: returned 0, aborting [exec] Error in script "tomcat.nsi" on line 31 -- aborting creation process and line 31 is !system "tempinstaller.exe" = 2 2. This solutions runs Ant -> makensis -> (makensis /DINNER); (ant ant -f ..\..\build.xml sign-windows-uninstaller). I think it can be unwrapped by explicitly calling makensis twice from Ant with the same nsi file but different /D defines. > @@ -31,6 +31,7 @@ > <property file="${user.home}/build.properties"/> > <property file="build.properties"/> > <property file="build.properties.default"/> > + <property environment="env"/> 3. Why are you relying on shell environment variables? There is java property that provides location of temporary directory. 4. Can the uninstaller be written to our own directory instead of the system one? Its name is not unique. It will break if two builds are running in parallel. (In an unlikely worst case you may end with signing someone else's file). 5. Is the uninstaller file removed after the build? Is the tempinstaller file removed after the build? > <!-- Project Name --> > <property name="project" value="apache-tomcat" /> > @@ -2145,6 +2146,25 @@ Apache Tomcat ${version} native binaries > > </target> > > + <!-- Called by the Windows installer to sign the uninstaller --> > + <target name="sign-windows-uninstaller"> > + > + <taskdef name="signcode" > + classname="org.apache.tomcat.buildutil.SignCode" > + classpath="${tomcat.classes}" /> > + > + <signcode userName="${codesigning.user}" password="${codesigning.pwd}" > + partnerCode="${codesigning.partnercode}" > + applicationName="Apache Tomcat ${version.major.minor} > Uninstaller" > + applicationversion="${version}" > + signingService="${codesigning.service}"> > + <fileset dir="${env.TEMP}"> > + <filename name="uninstall.exe"/> > + </fileset> > + </signcode> > + > + </target> > + > <target name="release" > > depends="clean,release-init,dist-deployer,sign-windows-binaries,package-zip,package-winzip,package-tgz,package-deployer-zip,package-deployer-tgz,javadoc,package-docs-tgz,package-src-zip,package-src-tgz,package-src-jar" > description="Create a Tomcat packaged distribution"> > > Modified: tomcat/trunk/res/tomcat.nsi > URL: > http://svn.apache.org/viewvc/tomcat/trunk/res/tomcat.nsi?rev=1630526&r1=1630525&r2=1630526&view=diff > ============================================================================== > --- tomcat/trunk/res/tomcat.nsi (original) > +++ tomcat/trunk/res/tomcat.nsi Thu Oct 9 16:10:57 2014 > @@ -15,6 +15,31 @@ > > ; Tomcat script for Nullsoft Installer > > +!ifdef INNER > + OutFile "tempinstaller.exe" > + SetCompressor /SOLID lzma > +!else > + ; Call makensis again, defining INNER. This writes an installer for us > which, when > + ; it is invoked, will just write the uninstaller to some location, and > then exit. > + ; Be sure to substitute the name of this script here. > + > + !system "$\"${NSISDIR}\makensis$\" /DINNER tomcat.nsi" = 0 > + > + ; So now run that installer we just created as tempinstaller.exe. Since it > + ; calls quit the return value isn't zero. > + > + !system "tempinstaller.exe" = 2 5. As I know, running the real installer triggers UAC (privileges raise) prompt when it is run on Windows 7. Does such UAC prompt happen with this tempinstaller as well? I mean - can you start "ant release" and leave it running unattended till the end, or you need to answer the UAC prompt in middle of the run? (It may be that makensis itself does not mark it as requiring raise of privileges, or that there is a way to tell makensis to do not mark it). > + > + ; That will have written an uninstaller binary for us. Now we sign it > with your > + ; favourite code signing tool. > + !system "ant -f ..\..\build.xml sign-windows-uninstaller" = 0 6. It looks that the above assumes where build output directory is. This is broken if tomcat.output property is redefined in build.properties file. (I usually redefine it to move "output" directory outside of source tree to hide it from IDE and Subversion). If issue "1." is solved (skipping this step unless it is an official release), then I do not mind for this breakage, as I do not expect the "output" directory be moved when building official releases. I wonder if the path could be calculated relative to the nsi file. 7. I wonder whether there is a better way to call Apache Ant. E.g. %ANT_HOME%\bin\ant The prerequisite to have Ant in %PATH% is not documented in BUILDING.txt (I have it in %PATH% in that shell that is building Tomcat, so calling it just as "ant" does not breaks things for me. On unixes the "ant" script evaluates ANT_HOME if it is not set, but does not export it. The value is passed to Ant as -Dant.home=\"$ANT_HOME\". ) A better solution would be to just call makensis twice from within Ant build file, as I outlined in "2." above. > + > + ; Good. Now we can carry on writing the real installer. > + > + OutFile tomcat-installer.exe > + SetCompressor /SOLID lzma 8. We already have "SetCompressor" directive a few lines later in the file, along with "CRCCheck on". I see no real need to duplicate it. As there is no "/FINAL" option in the above directive, I guess the later duplicate overwrites it. For reference: http://nsis.sourceforge.net/Reference/SetCompressor In the sample code the first occurrence of that directive was "SetCompress off" http://nsis.sourceforge.net/Signing_an_Uninstaller > +!endif > + > ;Compression options > CRCCheck on > SetCompressor /SOLID lzma > @@ -90,9 +115,6 @@ Var ServiceInstallLog Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org