Re: svn commit: r1630526 - in /tomcat/trunk: build.xml res/tomcat.nsi webapps/docs/changelog.xml

Thu, 09 Oct 2014 15:48:44 -0700 

2014-10-09 20:10 GMT+04:00  <ma...@apache.org>:
> Author: markt
> Date: Thu Oct  9 16:10:57 2014
> New Revision: 1630526
>
> URL: http://svn.apache.org/r1630526
> Log:
> Sign the uninstaller as well as the installer
>
> Modified:
>     tomcat/trunk/build.xml
>     tomcat/trunk/res/tomcat.nsi
>     tomcat/trunk/webapps/docs/changelog.xml
>
> Modified: tomcat/trunk/build.xml
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/build.xml?rev=1630526&r1=1630525&r2=1630526&view=diff
> ==============================================================================
> --- tomcat/trunk/build.xml (original)
> +++ tomcat/trunk/build.xml Thu Oct  9 16:10:57 2014

1. It shall be possible to build an (unsigned) installer when code
signing tool is not available.

Maybe it already works - I have not tested.

The build at Buidbot is currently broken, but in a different place
than where I expected. It says:

[exec] !system: returned 0, aborting
[exec] Error in script "tomcat.nsi" on line 31 -- aborting creation process

and line 31 is
!system "tempinstaller.exe" = 2


2. This solutions runs
  Ant -> makensis -> (makensis /DINNER); (ant ant -f ..\..\build.xml
sign-windows-uninstaller).

I think it can be unwrapped by explicitly calling makensis twice from
Ant with the same nsi file but different /D defines.


> @@ -31,6 +31,7 @@
>    <property file="${user.home}/build.properties"/>
>    <property file="build.properties"/>
>    <property file="build.properties.default"/>
> +  <property environment="env"/>

3. Why are you relying on shell environment variables?  There is java
property that provides location of temporary directory.

4. Can the uninstaller be written to our own directory instead of the
system one?

Its name is not unique. It will break if two builds are running in
parallel. (In an unlikely worst case you may end with signing someone
else's file).

5. Is the uninstaller file removed after the build? Is the
tempinstaller file removed after the build?

>    <!-- Project Name -->
>    <property name="project"               value="apache-tomcat" />
> @@ -2145,6 +2146,25 @@ Apache Tomcat ${version} native binaries
>
>    </target>
>
> +  <!-- Called by the Windows installer to sign the uninstaller -->
> +  <target name="sign-windows-uninstaller">
> +
> +    <taskdef name="signcode"
> +             classname="org.apache.tomcat.buildutil.SignCode"
> +             classpath="${tomcat.classes}" />
> +
> +    <signcode userName="${codesigning.user}" password="${codesigning.pwd}"
> +              partnerCode="${codesigning.partnercode}"
> +              applicationName="Apache Tomcat ${version.major.minor} 
> Uninstaller"
> +              applicationversion="${version}"
> +              signingService="${codesigning.service}">
> +      <fileset dir="${env.TEMP}">
> +        <filename name="uninstall.exe"/>
> +      </fileset>
> +    </signcode>
> +
> +  </target>
> +
>    <target name="release"
>      
> depends="clean,release-init,dist-deployer,sign-windows-binaries,package-zip,package-winzip,package-tgz,package-deployer-zip,package-deployer-tgz,javadoc,package-docs-tgz,package-src-zip,package-src-tgz,package-src-jar"
>      description="Create a Tomcat packaged distribution">
>
> Modified: tomcat/trunk/res/tomcat.nsi
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/res/tomcat.nsi?rev=1630526&r1=1630525&r2=1630526&view=diff
> ==============================================================================
> --- tomcat/trunk/res/tomcat.nsi (original)
> +++ tomcat/trunk/res/tomcat.nsi Thu Oct  9 16:10:57 2014
> @@ -15,6 +15,31 @@
>
>  ; Tomcat script for Nullsoft Installer
>
> +!ifdef INNER
> +  OutFile "tempinstaller.exe"
> +  SetCompressor /SOLID lzma
> +!else
> +  ; Call makensis again, defining INNER.  This writes an installer for us 
> which, when
> +  ; it is invoked, will just write the uninstaller to some location, and 
> then exit.
> +  ; Be sure to substitute the name of this script here.
> +
> +  !system "$\"${NSISDIR}\makensis$\" /DINNER tomcat.nsi" = 0
> +
> +  ; So now run that installer we just created as tempinstaller.exe.  Since it
> +  ; calls quit the return value isn't zero.
> +
> +  !system "tempinstaller.exe" = 2

5. As I know, running the real installer triggers UAC (privileges
raise) prompt when it is run on Windows 7.

Does such UAC prompt happen with this tempinstaller as well?

I mean - can you start "ant release" and leave it running unattended
till the end, or you need to answer the UAC prompt in middle of the
run?

(It may be that makensis itself does not mark it as requiring raise of
privileges, or that there is a way to tell makensis to do not mark
it).

> +
> +  ; That will have written an uninstaller binary for us.  Now we sign it 
> with your
> +  ; favourite code signing tool.
> +  !system "ant -f ..\..\build.xml sign-windows-uninstaller" = 0

6. It looks that the above assumes where build output directory is.

This is broken if  tomcat.output property is redefined in
build.properties file. (I usually redefine it to move "output"
directory outside of source tree to hide it from IDE and Subversion).

If issue "1." is solved (skipping this step unless it is an official
release), then I do not mind for this breakage, as I do not expect the
"output" directory be moved when building official releases.

I wonder if the path could be calculated relative to the nsi file.

7. I wonder whether there is a better way to call Apache Ant.  E.g.
%ANT_HOME%\bin\ant

The prerequisite to have Ant in %PATH% is not documented in BUILDING.txt

(I have it in %PATH% in that shell that is building Tomcat, so calling
it just as "ant" does not breaks things for me.

On unixes the "ant" script evaluates ANT_HOME if it is not set, but
does not export it. The value is passed to Ant as
-Dant.home=\"$ANT_HOME\". )

A better solution would be to just call makensis twice from within Ant
build file,  as I outlined in "2." above.


> +
> +  ; Good.  Now we can carry on writing the real installer.
> +
> +  OutFile tomcat-installer.exe
> +  SetCompressor /SOLID lzma

8. We already have "SetCompressor" directive a few lines later in the
file, along with "CRCCheck on". I see no real need to duplicate it.

As there is no "/FINAL" option in the above directive, I guess the
later duplicate overwrites it.

For reference:
http://nsis.sourceforge.net/Reference/SetCompressor

In the sample code the first occurrence of that directive was "SetCompress off"
http://nsis.sourceforge.net/Signing_an_Uninstaller


> +!endif
> +
>    ;Compression options
>    CRCCheck on
>    SetCompressor /SOLID lzma
> @@ -90,9 +115,6 @@ Var ServiceInstallLog



Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to