openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Digital signing release for windows.
Date Thu, 25 Dec 2014 17:35:21 GMT

 -- replying to --
From: jan i [] 
Sent: Thursday, December 25, 2014 07:51
To: dev
Subject: Digital signing release for windows.

[ ... ]

My suggestion is simple, lets rerun AOO 4.1 for windows, sign it digitally,
and then release it as a patch version.

I am happy to help, especially with the signing, but to help I need access
to the certificate given to the PMC, and somebody who can make a release
windows build.

   The official key is not needed in order to confirm a successful signing.
   Demonstrating a successful signing with any verifiable key is good 
   enough to establish that the end-to-end procedure works.  Then take the
   same originals back through the ASF signing process.

   A shortcut, which I am puzzling about is to not even do a new build but
   use the artifacts that are already in the Apache 4.1.1 distribution.
   (It does mean the cab may have to be opened, and I am not certain how
   that works for signing).  This has the advantage of preserving the
   provenance of the distribution, because apart from signing the artifacts
   are identical.

   It might be too difficult to interrupt the process to just use the end-stage
   that puts together the (now-signed) cab contents and the installer package.  

   In that case, it might be good enough to experiment with on a single language
   but not for a new binary release.  But if we are certain there is a working
   process but new builds are needed, waiting for 4.1.1 seems like a good idea.
   One can then verify the process using a developer build before going to rc01.

   Also, I think it is still necessary to see what the problem was with having
   a signed installer (actually, a setup self-extractor the way AOO does it)
   that creates a setup directory of unsigned artifacts.  The Windows 8[.1]
   Problem seems odd.  If it doesn't complain when the 4.1.1 extraction is
   done with an unsigned installer, I can't quite get the problem.  It may be
   that the way I do installs avoids that problem and that might be useful to
   understand.  (I don't let the installer crap on my desktop, and I have it
   use a share on a file server instead, and setup runs from there just fine
   on 8.1 and Windows 10 Technical Preview.)


Steps are simple:
1) make a full build, pick all DLL, JAR and EXE from the object tree
2) Sign them, or let me help with that
3) Overwrite the object tree with the signed artifacts
4) run build but on postprocess (generate new setup package)
5) Sign the installer or let me help with that
6) Upload and start vote
7) Upload to dist and be happy.

[ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message