Thanks Jan, It would be a great help to have links to the posts that document your findings so that someone else could follow in your footsteps and especially figure out what the problem is with Windows 8.1 rejecting unsigned files.
May I impose on you for that, please? I see your 2014-12-09 post on Re: Signing AOO 4.1.1 and it is too complicated for me, since I don't understand how to build AOO for Windows in the first place [;<). I don't see anything else since I subscribed on 2014-06-22. I may have deleted something that I thought was not of interest to me, but I hope not. Perhaps I am simply not competent enough with the build process to participate in this area. - Dennis PS: I have no access to private @ oo.a.o -----Original Message----- From: jan i [mailto:j...@apache.org] Sent: Thursday, December 25, 2014 13:25 To: dev; Dennis Hamilton Subject: Re: Digital signing release for windows. [ ... ] OK let me be very precise about the use of my "hats". As AOO Committer I tested how AOO could implement digital signing, As INFRA committer I helped ASF find a solution that would work for all projects. I cannot tell you what it has to do with AOO learning, because I am not sure what you mean. I documented my findings on this list. [ ... ] Simply read the cook receipt I wrote on this thread (and other threads). There are no magic to it, no change to the build system is needed unless we want to automate it. [ ... ] See earlier mails on this list, with subject digital signing (ps. some of the mails might also be on private). If you want to know how ASF have implemented digital signing, you need to search in Infra ML. Basically we can sign artifacts using a tomcat script/program which we could call from inside our build system or use the Web UI to manually sign the artifacts. The build system is not easy to expand (I think everybody who have tried will agree to that), I tried to change it based on the capstone output, but failed. Then I realised that manually uploading the artifacts to the webUI, signing them and then downloading them again was a lot faster. > </orcmid> > > > > > A shortcut, which I am puzzling about is to not even do a new build > but > > use the artifacts that are already in the Apache 4.1.1 distribution. > > (It does mean the cab may have to be opened, and I am not certain how > > that works for signing). This has the advantage of preserving the > > provenance of the distribution, because apart from signing the > artifacts > > are identical. > > with my knowledge this would be far more difficult, > > > > > It might be too difficult to interrupt the process to just use the > > end-stage > > that puts together the (now-signed) cab contents and the installer > > package. > > you dont interrupt the process, you simply start the build process in the > right directory, this is a standard facility of our build system. > > <orcmid> > Then it is relatively easy to put together a signed distribution using > existing artifacts? > Yes very. The time/CPU killer is getting the artifacts build, not the signing afterwards. > </orcmid> > > > > > In that case, it might be good enough to experiment with on a single > > language > > but not for a new binary release. But if we are certain there is a > > working > > process but new builds are needed, waiting for 4.1.1 seems like a good > > idea. > > One can then verify the process using a developer build before going > to > > rc01. > > The release candidate should only be in a single language, but since we > vote on binaries as well The vote should be on all languages we want to > release. > > <orcmid> > I don't understand. I thought the idea was to *not* do a new Apache > release, but reissue signed convenience binaries. > A patch is also a apache release, and since the checksums change it is formally not the same. "real" apache releases only have source code, so they would never use digital signing. We do however provide binaries as the primary target for end-users with checksums. > > For that, the best provenance is binaries that have already been > through the release-process-like approval of the previous binaries. > Or are those not done in combination? > We cannot use the binaries for 4.1 unless someone can show how we easily can "split" the installer and then "combine" it again. We need a build tree so that our builder can run and generate a new installer. The checksum for the new installer is different from the old installer, so we cannot just "overwrite" version 4.1 we need a patch number. rgds jan i. > </orcmid> > > > > > Also, I think it is still necessary to see what the problem was with > > having > > a signed installer (actually, a setup self-extractor the way AOO does > > it) > > that creates a setup directory of unsigned artifacts. The Windows > 8[.1] > > Problem seems odd. If it doesn't complain when the 4.1.1 extraction > is > > done with an unsigned installer, I can't quite get the problem. It > may > > be > > that the way I do installs avoids that problem and that might be > useful > > to > > understand. (I don't let the installer crap on my desktop, and I have > > it > > use a share on a file server instead, and setup runs from there just > > fine > > on 8.1 and Windows 10 Technical Preview.) > > it has been tried both by myself and mark from tomcat, for 8.1 we need the > runtime objects signed, for older versions your idea works well. > > <orcmid> > Help me understand what is happening. I understand that the full > signing > is required for certification, and Rob also commented about some sort of > complaint. Yet I have AOO 4.1.1 installed and operating without any > complaints on Windows 8.1 and on Window 10 Technology Preview. > Did it not complain when you installed it and first time you started it....that at least happened for me. Once you have installed it (and accepted an untrusted source) and run it the first time, Windows registers that you have allowed it and does not complain anymore. > > I am having difficulty comprehending how having the extractor signed > and not having the setup files signed screws this up. Is there something > else in the install scenario also being changed? > That is because windows started in version 8.1 to check when it loaded files and not only when setup runs. See above why it does not complain anymore on your system. > > PS: I am going to try this myself, but I am not ready to alter my > development configuration just yet. I am almost there. > OK, I will be glad to help. rgds jan I. > </orcmid> > > rgds > jan i > > > </orcmid> > > > > > > > > Steps are simple: > > 1) make a full build, pick all DLL, JAR and EXE from the object tree > > 2) Sign them, or let me help with that > > 3) Overwrite the object tree with the signed artifacts > > 4) run build but on postprocess (generate new setup package) > > 5) Sign the installer or let me help with that > > 6) Upload and start vote > > 7) Upload to dist and be happy. > > > > [ ... ] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > > <javascript:;> > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > <javascript:;> > > > > > > -- > Sent from My iPad, sorry for any misspellings. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
