[cle-release-team] samigo-audio signing issue when building from source.

Steve Swinsburg steve.swinsburg at gmail.com
Thu Oct 4 15:59:28 PDT 2012 

Hi all,

I'm in a bit of a rush [1] so this may not make sense but I'm thinking we have an issue when people build Samigo from source because the samigo-audo jar doesn't get signed.

Basically, the build for the release DOES get signed as part of the release process, but the profile doesn't get activated when people build it from source, AND the properties are missing that actually do the signing:

in samigo-aduio/pom.xml:

<id>jarsign</id>
            <activation>
                <activeByDefault>false</activeByDefault>
            </activation>

and 

 <configuration>
                            <keystore>${sakai.samigo-audio.jarsign.keystore.location}</keystore>
                            <alias>${sakai.samigo-audio.jarsign.alias}</alias>
                            <storepass>${sakai.samigo-audio.jarsign.password}</storepass>
                            <verify>true</verify>
                        </configuration>

I had the same issue when doing the 2.8.2 release, and had to build Samigo in a special way:

https://confluence.sakaiproject.org/display/~steve.swinsburg/sakai-2.8.2+release
mvn2 release:clean release:prepare release:perform -P jarsign -Dsakai.samigo-audio.jarsign.keystore.location=/path/to/sakai.keystore -Dsakai.samigo-audio.jarsign.alias=ALIAS -Dsakai.samigo-audio.jarsign.password=PASSWORD

but that obviously doesn't happen when you just do a mvn clean install sakai:deploy so one would assume that the jar isn't being signed.

I verified this by checking out samigo 2.8.5 and building like anyone else would:

svn co https://source.sakaiproject.org/svn//sam/tags/samigo-2.8.5/
cd samigo-2.8.5/
mvn clean install
find . -name samigo-audio-2.8.5.jar 
(./samigo-audio/target/samigo-audio-2.8.5.jar)
jarsigner -verify ./samigo-audio/target/samigo-audio-2.8.5.jar

jar is unsigned. (signatures missing or not parsable)

So, one would think that we don't build the samigo-audio module and have the build always pull the signed one from the repository?

As mentioned previously, I may have misused something but would appreciate someone else checking this as well.

cheers,
Steve


[1] You'll find out why soon enough.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/cle-release-team/attachments/20121005/c14952c3/attachment-0006.html

More information about the cle-release-team mailing list