Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <4FE46D62.30302@googlemail.com>
References: <4FE45113.2080308@googlemail.com>
	<4FE45B6B.8030300@gmx.de>
	<4FE4664C.2060406@googlemail.com>
	<4FE46D62.30302@googlemail.com>
Date: Fri, 22 Jun 2012 10:34:40 -0400
Message-ID: 
 <CAP-ksohG7CN0yo4CNJvLd_VAt9Wb51=LXq0TGLBLoj=OuON7ow@mail.gmail.com>
Subject: Re: [CODE]: update code signing for Windows
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 22, 2012 at 9:04 AM, J=C3=BCrgen Schmidt
<jogischmidt@googlemail.com> wrote:
> On 6/22/12 2:34 PM, J=C3=BCrgen Schmidt wrote:
>> On 6/22/12 1:47 PM, O.Felka wrote:
>>> Hello J=C3=BCrgen,
>>>
>>> Am 22.06.2012 13:03, schrieb J=C3=BCrgen Schmidt:
>>>> Hi,
>>>>
>>>> I analyzed and played with code signing on Windows using a self signed
>>>> test certificate.
>>>>
>>>> Thanks to Andre and his Perl skills I was able to fix a strange build
>>>> problem with a too long command line triggered from a makefile to perl=
.
>>>> Anyway this is solved now.
>>>>
>>>> I have now signed a full install set and would like to ask if somebody
>>>> is interested to test it and give me feedback.
>>>
>>> I've made some quick tests under XP and Win7.
>>> Starting the zipped file for unpacking gives a an unknown distributor i=
n
>>> the UAC dialog.
>>
>> I assume that is normal because the self signed certificate can't be
>> verified but I have to collect more info ...
>
> I double checked on my machine where the certificate is already known
> and I get as verified publisher "Apache OpenOffice (Dev Build)"
>

Is there a way that testers can import the same certificate, so the
signature verification works like it would with a real cert?

>>
>> =C2=A0The same when I start the the setup.exe.
>>> The properties of the zipped download file, the msi file and the
>>> setup.exe shoa "Apache OpenOffice (DevBuild)" as
>>> 'Signaturgeberinformation'.
>>
>> that is expected
>>
>>>
>>> Installing the Office and looking at the 'control panel -> Add remove
>>> and software' shows "OpenOffice.org" as distributor.
>>
>> mmh, I am not sure where this information comes from. Again I have
>> collect more info...
>
> but in the control panel I still get as publisher "OpenOffice.org"
>
> mmh...

Could that be a vendor resource string associated with the EXE or DLL
header PE header?

-Rob

>
> Juergen
>
>
>>
>> But thanks for the feedback
>>
>> Juergen
>>
>>>
>>> I fear that this is not what you've wanted.
>>>
>>> Groetjes,
>>> Olaf
>>>
>>>>
>>>> You can find a signed download file under
>>>> http://people.apache.org/~jsc/signing_test/Apache_OpenOffice_incubatin=
g_3.4.0_Win_x86_install_en-US.exe
>>>>
>>>>
>>>> NOICE: this is a build based on AOO34 branch without the updated versi=
on
>>>> numbers. It's no dev build, please be careful if you test it.
>>>>
>>>> I have to check the whole process and probably have to improve some
>>>> things to make it final. The last important step is triggered manual b=
y
>>>> now.
>>>>
>>>> I use a Personal Information Exchange file (*.pfx) of my self signed
>>>> certificate with a passcode that is specified during the build process=
.
>>>>
>>>> This seems to be a good approach to handle a certificate in this
>>>> scenario and during our build process.
>>>>
>>>> I will keep you informed...
>>>>
>>>> Juergen
>>>>
>>>
>>>
>>
>>
>
>