On Tuesday, December 9, 2014, Jürgen Schmidt <jogischm...@gmail.com> wrote:
> On 09/12/14 09:17, Andrea Pescetti wrote: > > Jürgen Schmidt wrote: > >> We had a signing mechanism in place for a long time and the reason why > >> we have currently no digital signing is the lack of a certificate where > >> we as project (PMC) or as representative the release manager have enough > >> control. > > > > I do have a certificate and access key to the signing service. Details > > in my "OpenOffice and Infra" report > > http://markmail.org/message/6ymi35tajswcfsps item 4. > > > > Of course, I'm more than happy if someone else is willing to help with > > this; maybe Jan's work of months ago can now be reused and we can sign > > with minimal effort. > > I don't have time to do it but I would start with analyzing which parts > have to be signed. The former process signed all binary artifacts (dll, > jars, .NET assemblies, ...). I am not sure if this is all necessary or > if it was just signed for simplification. > > The new mechanism requires a more or less rework of the signing process. > And it will result probably in a multiphase signing and packaging > process. First round is to sign exe, dlls, assemblies etc. figured out > in the initial analysis. Second step is to package the msi and the > setup.exe. And finally package the downloadable exe and sign this as well. > > Of course anybody can do the investigation again, but the rule is quite clear. Windows loadable components must be signed, in our case jar, dll and exe. I did not change a bit in the build system for my test, but had simple one-liner scrips to help. First script runs through all release languages, run configure and make. then renames the output dir with dll etc. (it also renamed the dll,jar to xyz.lang.dll) Second step was manual, upload to symantic gui and sign, download the signed artifacts Second script runs through all release languages, renames the output dir back, runs configure and then make postprocess. Finally it renames the install set. Last step was manual, upload all instlallers to symantic, sign and download. we (infra) spent quite sometime discussing a local solution, but it turned out to be vey costly (both in terms of real money and man hours). We then say that symantic actually provide at least 80% of the solution we looked at, so the choice was simple. rgds jan i > Juergen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > <javascript:;> > For additional commands, e-mail: dev-h...@openoffice.apache.org > <javascript:;> > > -- Sent from My iPad, sorry for any misspellings.