Andrea, Although I consider this very important, I am so far back the learning curve on working with the actual bits that I don't think I can provide anything competent in a short time. If you think there is an useful way for me to move along the curve in time to be useful, I am open to it.
One question, also for Jürgen and Jan. Is it possible to enter the signing process for just the last step -- using the 4.1.1 setup files, which are easily available, and making an installer file with appropriate file properties and a signature? (Or even sign the existing installer file, if it is in the proper format for inserting the information and signature.) That is, the .cab, .msi, and setup.exe would be completely unchanged. It is not the whole job, but it would make for an easy 4.1.1 slip-stream update and start solving one of the problems of being able to identify the origin of "courtesy" binaries that the project is willing to support. (There are loud reminders on other lists that courtesy binaries are not Apache capital-R Releases, only the sources are, so this would technically not involve a new AOO Project Release at all. There should be absolutely no difference other than the installer is authenticated and makes Windows happier in itself, without worrying about Windows certification at this stage.) It would still have to be project-managed in the sense that all of the measures to preserve binary authenticity and provide accompanying binary release management internal to AOO should be followed. Still thinking out loud, wanting to be helpful. - Dennis PS: Corinthia has to learn to do this anyhow, but that incubator has the advantage of not being under any time pressure and can provide signed binaries from the beginning, so teething and preserving the knowledge may be easier. -----Original Message----- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Tuesday, December 9, 2014 00:17 To: dev@openoffice.apache.org Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) Jürgen Schmidt wrote: > We had a signing mechanism in place for a long time and the reason why > we have currently no digital signing is the lack of a certificate where > we as project (PMC) or as representative the release manager have enough > control. I do have a certificate and access key to the signing service. Details in my "OpenOffice and Infra" report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. Regards, Andrea. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
