Hello Mark, sorry for answering wrong question our web application have dependencies on 3rd party jar files.
All jars our own and all dependencies should be signed by the same certificate (otherwise application will not start with "JAR resources in JNLP file are not signed by same certificate" error) please see for ex. here [1] So we have no option not to sign dependency jars [1] https://weblogs.java.net/blog/2005/05/20/signing-jars-javanet-web-start-applications On Wed, Mar 18, 2015 at 3:46 PM, Mark Thomas <[email protected]> wrote: > On 17/03/2015 03:14, Maxim Solodovnik wrote: > > Hello Mark, > > > > I have signed lots of jars during testing period, then to resolve some > > issues with code signing service > > Recently I sign additional jars to write correct instruction [1] > > > > I'll update the guide, and will use "Apache Openmeetings ***" name for > > further releases > > Please let me know if any other changes are required > > Maxim, > > I think you mis-understood my question. Sorry it wasn't clear. I'll be > more explicit. > > There is no concern about the number of test signings. The concern that > has been raised is around the one production signing. > > Why, in the one production signing OpenMeetings has done so far, did you > sign a bunch of JARs that are not 'owned' by the ASF. For example, > spring-beans-4.0.8-RELEASE? > > Cheers, > > Mark > > > > > [1] http://openmeetings.apache.org/ReleaseGuide.html > > > > On Tue, Mar 17, 2015 at 2:50 AM, Mark Thomas <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi, > > > > David (V.P. Infra) asked me (with my infra hat on) to take a quick > look > > at your recent(ish) code signing. > > > > I see that you have signed a bunch of JARs that are not published by > the > > ASF. I suspect I know why this is but could you briefly explain why > you > > needed to do this please? > > > > Secondly, when naming your versions, please could you include "Apache > > OpenMeetings" in the version name? As the number of TLPs using the > > service increases it makes it much easier for infra to track who is > > using the service if we see "Apache OpenMeetings 3.0.4-RELEASE" in > the > > GUI rather than just "3.0.4-RELEASE". > > > > I trust that there are no outstanding issues for you with the code > > signing service (I'm guessing not since you did a release but it is > > always good to make sure). > > > > Thanks in advance, > > > > Mark > > > > > > > > > > -- > > WBR > > Maxim aka solomax > > -- WBR Maxim aka solomax
