On 9 December 2014 at 16:26, Dennis E. Hamilton <[email protected]> wrote:
> Andrea, > > Although I consider this very important, I am so far back the learning > curve on working with the actual bits that I don't think I can provide > anything competent in a short time. If you think there is an useful way > for me to move along the curve in time to be useful, I am open to it. > > One question, also for Jürgen and Jan. Is it possible to enter the > signing process for just the last step -- using the 4.1.1 setup files, > which are easily available, and making an installer file with appropriate > file properties and a signature? (Or even sign the existing installer > file, if it is in the proper format for inserting the information and > signature.) That is, the .cab, .msi, and setup.exe would be completely > unchanged. > No we need to rebuild (and for every language), because the last step in the build process needs to be repeated, we cannot just patch the files. If we could move away from 1 install set pr language, the job would be about 30 times faster :-) > > It is not the whole job, but it would make for an easy 4.1.1 slip-stream > update and start solving one of the problems of being able to identify the > origin of "courtesy" binaries that the project is willing to support. > > (There are loud reminders on other lists that courtesy binaries are not > Apache capital-R Releases, only the sources are, so this would technically > not involve a new AOO Project Release at all. There should be absolutely > no difference other than the installer is authenticated and makes Windows > happier in itself, without worrying about Windows certification at this > stage.) > AOO is special compared to most other projects, in that the majority of our users use the binary package. As a consequence, I recommend a PMC vote, even if its not strictly needed. rgds jan i. > > It would still have to be project-managed in the sense that all of the > measures to preserve binary authenticity and provide accompanying binary > release management internal to AOO should be followed. > > Still thinking out loud, wanting to be helpful. > > - Dennis > > PS: Corinthia has to learn to do this anyhow, but that incubator has the > advantage of not being under any time pressure and can provide signed > binaries from the beginning, so teething and preserving the knowledge may > be easier. > > > > -----Original Message----- > From: Andrea Pescetti [mailto:[email protected]] > Sent: Tuesday, December 9, 2014 00:17 > To: [email protected] > Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) > > Jürgen Schmidt wrote: > > We had a signing mechanism in place for a long time and the reason why > > we have currently no digital signing is the lack of a certificate where > > we as project (PMC) or as representative the release manager have enough > > control. > > I do have a certificate and access key to the signing service. Details > in my "OpenOffice and Infra" report > http://markmail.org/message/6ymi35tajswcfsps item 4. > > Of course, I'm more than happy if someone else is willing to help with > this; maybe Jan's work of months ago can now be reused and we can sign > with minimal effort. > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
