Thanks for the great service :) On Wed, Mar 18, 2015 at 8:17 PM, Mark Thomas <[email protected]> wrote:
> On 18/03/2015 14:12, Maxim Solodovnik wrote: > > Hello Mark, > > > > sorry for answering wrong question > > our web application have dependencies on 3rd party jar files. > > > > All jars our own and all dependencies should be signed by the same > > certificate (otherwise application will not start with "JAR resources > > inJNLP file are notsignedbysame certificate" error) please see for ex. > > here [1] > > > > So we have no option not to sign dependency jars > > > > [1] > https://weblogs.java.net/blog/2005/05/20/signing-jars-javanet-web-start-applications > > Maxim, > > I thought as much. Thanks for the confirmation. > > Happy code signing :) > > Mark > > > > > > On Wed, Mar 18, 2015 at 3:46 PM, Mark Thomas <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 17/03/2015 03:14, Maxim Solodovnik wrote: > > > Hello Mark, > > > > > > I have signed lots of jars during testing period, then to resolve > some > > > issues with code signing service > > > Recently I sign additional jars to write correct instruction [1] > > > > > > I'll update the guide, and will use "Apache Openmeetings ***" name > for > > > further releases > > > Please let me know if any other changes are required > > > > Maxim, > > > > I think you mis-understood my question. Sorry it wasn't clear. I'll > be > > more explicit. > > > > There is no concern about the number of test signings. The concern > that > > has been raised is around the one production signing. > > > > Why, in the one production signing OpenMeetings has done so far, did > you > > sign a bunch of JARs that are not 'owned' by the ASF. For example, > > spring-beans-4.0.8-RELEASE? > > > > Cheers, > > > > Mark > > > > > > > > [1] http://openmeetings.apache.org/ReleaseGuide.html > > > > > > On Tue, Mar 17, 2015 at 2:50 AM, Mark Thomas <[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > Hi, > > > > > > David (V.P. Infra) asked me (with my infra hat on) to take a > > quick look > > > at your recent(ish) code signing. > > > > > > I see that you have signed a bunch of JARs that are not > > published by the > > > ASF. I suspect I know why this is but could you briefly > > explain why you > > > needed to do this please? > > > > > > Secondly, when naming your versions, please could you include > > "Apache > > > OpenMeetings" in the version name? As the number of TLPs using > the > > > service increases it makes it much easier for infra to track > > who is > > > using the service if we see "Apache OpenMeetings > > 3.0.4-RELEASE" in the > > > GUI rather than just "3.0.4-RELEASE". > > > > > > I trust that there are no outstanding issues for you with the > code > > > signing service (I'm guessing not since you did a release but > > it is > > > always good to make sure). > > > > > > Thanks in advance, > > > > > > Mark > > > > > > > > > > > > > > > -- > > > WBR > > > Maxim aka solomax > > > > > > > > > > -- > > WBR > > Maxim aka solomax > > -- WBR Maxim aka solomax
