On 18/03/2015 14:12, Maxim Solodovnik wrote: > Hello Mark, > > sorry for answering wrong question > our web application have dependencies on 3rd party jar files. > > All jars our own and all dependencies should be signed by the same > certificate (otherwise application will not start with "JAR resources > inJNLP file are notsignedbysame certificate" error) please see for ex. > here [1] > > So we have no option not to sign dependency jars > > [1] > https://weblogs.java.net/blog/2005/05/20/signing-jars-javanet-web-start-applications
Maxim, I thought as much. Thanks for the confirmation. Happy code signing :) Mark > > On Wed, Mar 18, 2015 at 3:46 PM, Mark Thomas <[email protected] > <mailto:[email protected]>> wrote: > > On 17/03/2015 03:14, Maxim Solodovnik wrote: > > Hello Mark, > > > > I have signed lots of jars during testing period, then to resolve some > > issues with code signing service > > Recently I sign additional jars to write correct instruction [1] > > > > I'll update the guide, and will use "Apache Openmeetings ***" name for > > further releases > > Please let me know if any other changes are required > > Maxim, > > I think you mis-understood my question. Sorry it wasn't clear. I'll be > more explicit. > > There is no concern about the number of test signings. The concern that > has been raised is around the one production signing. > > Why, in the one production signing OpenMeetings has done so far, did you > sign a bunch of JARs that are not 'owned' by the ASF. For example, > spring-beans-4.0.8-RELEASE? > > Cheers, > > Mark > > > > > [1] http://openmeetings.apache.org/ReleaseGuide.html > > > > On Tue, Mar 17, 2015 at 2:50 AM, Mark Thomas <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hi, > > > > David (V.P. Infra) asked me (with my infra hat on) to take a > quick look > > at your recent(ish) code signing. > > > > I see that you have signed a bunch of JARs that are not > published by the > > ASF. I suspect I know why this is but could you briefly > explain why you > > needed to do this please? > > > > Secondly, when naming your versions, please could you include > "Apache > > OpenMeetings" in the version name? As the number of TLPs using the > > service increases it makes it much easier for infra to track > who is > > using the service if we see "Apache OpenMeetings > 3.0.4-RELEASE" in the > > GUI rather than just "3.0.4-RELEASE". > > > > I trust that there are no outstanding issues for you with the code > > signing service (I'm guessing not since you did a release but > it is > > always good to make sure). > > > > Thanks in advance, > > > > Mark > > > > > > > > > > -- > > WBR > > Maxim aka solomax > > > > > -- > WBR > Maxim aka solomax
