Re: [CODE]: update code signing for Windows
On 6/22/12 4:34 PM, Rob Weir wrote: On Fri, Jun 22, 2012 at 9:04 AM, Jürgen Schmidt jogischm...@googlemail.com wrote: On 6/22/12 2:34 PM, Jürgen Schmidt wrote: On 6/22/12 1:47 PM, O.Felka wrote: Hello Jürgen, Am 22.06.2012 13:03, schrieb Jürgen Schmidt: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. I've made some quick tests under XP and Win7. Starting the zipped file for unpacking gives a an unknown distributor in the UAC dialog. I assume that is normal because the self signed certificate can't be verified but I have to collect more info ... I double checked on my machine where the certificate is already known and I get as verified publisher Apache OpenOffice (Dev Build) Is there a way that testers can import the same certificate, so the signature verification works like it would with a real cert? yes I think so, it should be possible to import the cert in a local cert store. I can provide the *.cer file on demand. Please drop me an email. Juergen The same when I start the the setup.exe. The properties of the zipped download file, the msi file and the setup.exe shoa Apache OpenOffice (DevBuild) as 'Signaturgeberinformation'. that is expected Installing the Office and looking at the 'control panel - Add remove and software' shows OpenOffice.org as distributor. mmh, I am not sure where this information comes from. Again I have collect more info... but in the control panel I still get as publisher OpenOffice.org mmh... Could that be a vendor resource string associated with the EXE or DLL header PE header? -Rob Juergen But thanks for the feedback Juergen I fear that this is not what you've wanted. Groetjes, Olaf You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
On 6/22/12 7:13 PM, Dennis E. Hamilton wrote: +1 Installing a small .exe is even better. Hello World is always a good choice. The .exe and the installer both must be signed, though not necessarily at the same time. I am not sure, signing an .exe is no rocket science and the signtool of MS is well documented. I am more interested in a working workflow with a valid signed office setup binary (downloadable .exe) as outcome. Juergen -Original Message- From: sebb [mailto:seb...@gmail.com] Sent: Friday, June 22, 2012 10:06 To: ooo-dev@incubator.apache.org Subject: Re: [CODE]: update code signing for Windows [ ... ] Just a suggestion: since you are testing the signing process here, the actual content is irrelevant. So you could make a much smaller file that just installs a text file (or something like that). [ ... ]
[CODE]: update code signing for Windows
Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
Hello Jürgen, Am 22.06.2012 13:03, schrieb Jürgen Schmidt: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. I've made some quick tests under XP and Win7. Starting the zipped file for unpacking gives a an unknown distributor in the UAC dialog. The same when I start the the setup.exe. The properties of the zipped download file, the msi file and the setup.exe shoa Apache OpenOffice (DevBuild) as 'Signaturgeberinformation'. Installing the Office and looking at the 'control panel - Add remove and software' shows OpenOffice.org as distributor. I fear that this is not what you've wanted. Groetjes, Olaf You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
On 6/22/12 1:47 PM, O.Felka wrote: Hello Jürgen, Am 22.06.2012 13:03, schrieb Jürgen Schmidt: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. I've made some quick tests under XP and Win7. Starting the zipped file for unpacking gives a an unknown distributor in the UAC dialog. I assume that is normal because the self signed certificate can't be verified but I have to collect more info ... The same when I start the the setup.exe. The properties of the zipped download file, the msi file and the setup.exe shoa Apache OpenOffice (DevBuild) as 'Signaturgeberinformation'. that is expected Installing the Office and looking at the 'control panel - Add remove and software' shows OpenOffice.org as distributor. mmh, I am not sure where this information comes from. Again I have collect more info... But thanks for the feedback Juergen I fear that this is not what you've wanted. Groetjes, Olaf You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
On 6/22/12 2:34 PM, Jürgen Schmidt wrote: On 6/22/12 1:47 PM, O.Felka wrote: Hello Jürgen, Am 22.06.2012 13:03, schrieb Jürgen Schmidt: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. I've made some quick tests under XP and Win7. Starting the zipped file for unpacking gives a an unknown distributor in the UAC dialog. I assume that is normal because the self signed certificate can't be verified but I have to collect more info ... I double checked on my machine where the certificate is already known and I get as verified publisher Apache OpenOffice (Dev Build) The same when I start the the setup.exe. The properties of the zipped download file, the msi file and the setup.exe shoa Apache OpenOffice (DevBuild) as 'Signaturgeberinformation'. that is expected Installing the Office and looking at the 'control panel - Add remove and software' shows OpenOffice.org as distributor. mmh, I am not sure where this information comes from. Again I have collect more info... but in the control panel I still get as publisher OpenOffice.org mmh... Juergen But thanks for the feedback Juergen I fear that this is not what you've wanted. Groetjes, Olaf You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
On Fri, Jun 22, 2012 at 9:04 AM, Jürgen Schmidt jogischm...@googlemail.com wrote: On 6/22/12 2:34 PM, Jürgen Schmidt wrote: On 6/22/12 1:47 PM, O.Felka wrote: Hello Jürgen, Am 22.06.2012 13:03, schrieb Jürgen Schmidt: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. I've made some quick tests under XP and Win7. Starting the zipped file for unpacking gives a an unknown distributor in the UAC dialog. I assume that is normal because the self signed certificate can't be verified but I have to collect more info ... I double checked on my machine where the certificate is already known and I get as verified publisher Apache OpenOffice (Dev Build) Is there a way that testers can import the same certificate, so the signature verification works like it would with a real cert? The same when I start the the setup.exe. The properties of the zipped download file, the msi file and the setup.exe shoa Apache OpenOffice (DevBuild) as 'Signaturgeberinformation'. that is expected Installing the Office and looking at the 'control panel - Add remove and software' shows OpenOffice.org as distributor. mmh, I am not sure where this information comes from. Again I have collect more info... but in the control panel I still get as publisher OpenOffice.org mmh... Could that be a vendor resource string associated with the EXE or DLL header PE header? -Rob Juergen But thanks for the feedback Juergen I fear that this is not what you've wanted. Groetjes, Olaf You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen
Re: [CODE]: update code signing for Windows
On 22 June 2012 12:03, Jürgen Schmidt jogischm...@googlemail.com wrote: Hi, I analyzed and played with code signing on Windows using a self signed test certificate. Thanks to Andre and his Perl skills I was able to fix a strange build problem with a too long command line triggered from a makefile to perl. Anyway this is solved now. I have now signed a full install set and would like to ask if somebody is interested to test it and give me feedback. You can find a signed download file under http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe NOICE: this is a build based on AOO34 branch without the updated version numbers. It's no dev build, please be careful if you test it. Just a suggestion: since you are testing the signing process here, the actual content is irrelevant. So you could make a much smaller file that just installs a text file (or something like that). I have to check the whole process and probably have to improve some things to make it final. The last important step is triggered manual by now. I use a Personal Information Exchange file (*.pfx) of my self signed certificate with a passcode that is specified during the build process. This seems to be a good approach to handle a certificate in this scenario and during our build process. I will keep you informed... Juergen