[
https://issues.apache.org/jira/browse/WOOKIE-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422297#comment-13422297
]
Paul Sharples commented on WOOKIE-139:
--------------------------------------
Just an update. I've finally been able to get it working. I applied the patch
to the wookie codebase locally on my machine.
Some things of note...
The wookiekeystore.jks file seems to have been corrupted and won't load into
the application (possibly it was mangled when the patch was created)
I generated another one using the java keytool and the application got further,
but failed when I tried to sign the resources...
Exception in thread "AWT-EventQueue-0" java.lang.AbstractMethodError:
org.apache.xerces.dom.ElementNSImpl.setIdAttributeNS(Ljava/lang/String;Ljava/lang/String;Z)V
at
org.apache.xml.security.signature.XMLSignature.setId(XMLSignature.java:422)
at org.apache.wookie.digsig.ui.SignWidgets.sign(SignWidgets.java:148)
A google search on this message seems to point to a possible issue with the
xerces library.
(An old version of xerces (2.0.2) is added to the wookie classpath in ivy as a
dependency of ddlutils)
When I removed the ddlutils ivy reference, the digsig application ran without
errors.
I'm interested to know if you had the digsig code as part of the wookie code in
your IDE or was it setup as a separate project?
If it was part of the existing wookie code, what version of 'XercesImpl' is on
the classpath? (retrieved by ivy)
thanks
> Implement the W3C XML Digital Signatures for Widgets specification in Wookie
> ----------------------------------------------------------------------------
>
> Key: WOOKIE-139
> URL: https://issues.apache.org/jira/browse/WOOKIE-139
> Project: Wookie
> Issue Type: New Feature
> Reporter: Scott Wilson
> Labels: gsoc2012, mentor
> Attachments: Signer_W3C_widget_digisg.patch,
> Wookie_Widget_Signer_Guide, logo.png
>
>
> W3C XML Digital Signatures for Widgets specifies how both authors and
> distributors of widgets can digitally sign a Widget package:
> The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/
> This means that an organisation can choose to automatically install and
> update widgets that carry recognised signatures - for example from a
> reputable online widget store (distributor) or from an approved widget author
> rather than require admin intervention to approve them.
> For Wookie this means implementing the mechanism for locating and verifying
> W3C signature.xml files in Widgets, and providing signature management
> options.
> For example, we may want to have a configuration property set for requiring
> signatures be checked, and a file where trusted signatories are listed for
> checking against when a new widget is uploaded, or a new version is detected
> online using Widget Updates.
> We may also want to look at how Wookie can delegate upwards decisions based
> on signature verification, for example to let an Apache Rave admin choose to
> allow automatic publishing of signed widgets from trusted sources provided
> that Wookie has verified the signature and returned this information to Rave.
> This could be handled in the response to uploading a widget to Wookie using
> the REST API, e.g. adding <signature verified="true" type="author"/> to the
> metadata returned in the response body.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
