I don't know if this is helpful or not. I'm not in a position to check.
Thinking out loud:
There are two cases of signatures.
1. Digital signing of installable components, such as DLLs and such. This is
also important but a second-order problem.
2. Digital signing of the installer binary (the .EXE). That or shipping a
signed .MSI.
This is more important. It has to do with raising the confidence in
downloads and installs and is of immediate benefit.
It *may* be the case that the installer binary .EXE already has room in the
file for a signature and it is simply not being used. The properties on the
binary .EXE are also not filled in for AOO 4.1.1 en-US. Those are the ones
that show a File description, File version, Product name, Product version,
Copyright, Language, etc.
It might be worthwhile to see if the properties and signature can be injected
in the .EXE already. And if not, it may be possible to rebuild the .EXE, since
the bits are still around. They are what are extracted into a folder which is
then used for running setup.
If feasible, this strikes me as a perfectly worthwhile exercise for
slip-streaming a signed binary of AOO 4.1.1 for Windows. As Andrea remarks, It
would also be a right-sized teething exercise for our learning how to work
through the signing process.
I'm all for starting with the least that could possibly work, even though I
have no expertise on this.
- Dennis
-----Original Message-----
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Monday, December 8, 2014 15:08
To: dev@openoffice.apache.org
Subject: Re: Budapest and thereafter.
Marcus wrote:
> Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti:
>> We could actually do both, if you believe it makes sense:
>> - signed 4.1.1 (next Windows binaries only) by end of December
>> - 4.1.2 in January
> IMHO this doesn't make sense and would be just a waste of resources,
> when doing 2 releases in such a short time frame.
> But I would tend to do only the bigger release (4.1.2) - let's say in
> January/February. When ...
Honestly, Infra would like (and they are right) that after asking for
years for digital signing, we actually use it. We can't put many
obstacles in front of it. So a long list of things that we must have
ready before that won't work. Signing Windows binaries will have to
happen, and users will benefit from it in terms of trust in OpenOffice.
Assuming that more or less we can master the technology, distributing
the 4.1.1 signed binaries is not a huge feat for us (it would need
production of the new binaries and their upload to a new directory like
"windows-signed" and defaulting to "windows-signed" in the JavaScript in
the download page). It is far less than a release and at least it could
show that on this (new for OpenOffice) topic we are ready.
In case I wasn't clear (and this is my fault for not summarizing the
Budapest talks correctly) signed binaries have high priority. One way is
to make a 4.1.2 release and sign it, and this requires going through the
whole process (no, it can't be a Windows-only release). Another way is
to ship a signed version of the existing 4.1.1 binaries as a "warm up"
for the moment when this will be integral part of the release process.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
