On 09/12/14 09:17, Andrea Pescetti wrote: > Jürgen Schmidt wrote: >> We had a signing mechanism in place for a long time and the reason why >> we have currently no digital signing is the lack of a certificate where >> we as project (PMC) or as representative the release manager have enough >> control. > > I do have a certificate and access key to the signing service. Details > in my "OpenOffice and Infra" report > http://markmail.org/message/6ymi35tajswcfsps item 4. > > Of course, I'm more than happy if someone else is willing to help with > this; maybe Jan's work of months ago can now be reused and we can sign > with minimal effort.
I don't have time to do it but I would start with analyzing which parts have to be signed. The former process signed all binary artifacts (dll, jars, .NET assemblies, ...). I am not sure if this is all necessary or if it was just signed for simplification. The new mechanism requires a more or less rework of the signing process. And it will result probably in a multiphase signing and packaging process. First round is to sign exe, dlls, assemblies etc. figured out in the initial analysis. Second step is to package the msi and the setup.exe. And finally package the downloadable exe and sign this as well. Juergen --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
