On 6/22/12 4:34 PM, Rob Weir wrote: > On Fri, Jun 22, 2012 at 9:04 AM, Jürgen Schmidt > <jogischm...@googlemail.com> wrote: >> On 6/22/12 2:34 PM, Jürgen Schmidt wrote: >>> On 6/22/12 1:47 PM, O.Felka wrote: >>>> Hello Jürgen, >>>> >>>> Am 22.06.2012 13:03, schrieb Jürgen Schmidt: >>>>> Hi, >>>>> >>>>> I analyzed and played with code signing on Windows using a self signed >>>>> test certificate. >>>>> >>>>> Thanks to Andre and his Perl skills I was able to fix a strange build >>>>> problem with a too long command line triggered from a makefile to perl. >>>>> Anyway this is solved now. >>>>> >>>>> I have now signed a full install set and would like to ask if somebody >>>>> is interested to test it and give me feedback. >>>> >>>> I've made some quick tests under XP and Win7. >>>> Starting the zipped file for unpacking gives a an unknown distributor in >>>> the UAC dialog. >>> >>> I assume that is normal because the self signed certificate can't be >>> verified but I have to collect more info ... >> >> I double checked on my machine where the certificate is already known >> and I get as verified publisher "Apache OpenOffice (Dev Build)" >> > > Is there a way that testers can import the same certificate, so the > signature verification works like it would with a real cert? >
yes I think so, it should be possible to import the cert in a local cert store. I can provide the *.cer file on demand. Please drop me an email. Juergen >>> >>> The same when I start the the setup.exe. >>>> The properties of the zipped download file, the msi file and the >>>> setup.exe shoa "Apache OpenOffice (DevBuild)" as >>>> 'Signaturgeberinformation'. >>> >>> that is expected >>> >>>> >>>> Installing the Office and looking at the 'control panel -> Add remove >>>> and software' shows "OpenOffice.org" as distributor. >>> >>> mmh, I am not sure where this information comes from. Again I have >>> collect more info... >> >> but in the control panel I still get as publisher "OpenOffice.org" >> >> mmh... > > Could that be a vendor resource string associated with the EXE or DLL > header PE header? > > -Rob > >> >> Juergen >> >> >>> >>> But thanks for the feedback >>> >>> Juergen >>> >>>> >>>> I fear that this is not what you've wanted. >>>> >>>> Groetjes, >>>> Olaf >>>> >>>>> >>>>> You can find a signed download file under >>>>> http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe >>>>> >>>>> >>>>> NOICE: this is a build based on AOO34 branch without the updated version >>>>> numbers. It's no dev build, please be careful if you test it. >>>>> >>>>> I have to check the whole process and probably have to improve some >>>>> things to make it final. The last important step is triggered manual by >>>>> now. >>>>> >>>>> I use a Personal Information Exchange file (*.pfx) of my self signed >>>>> certificate with a passcode that is specified during the build process. >>>>> >>>>> This seems to be a good approach to handle a certificate in this >>>>> scenario and during our build process. >>>>> >>>>> I will keep you informed... >>>>> >>>>> Juergen >>>>> >>>> >>>> >>> >>> >> >>