[cle-release-team] samigo-audio signing issue when building from source.

Thu Oct 4 16:21:33 PDT 2012

We've also found locally that you really don't ever want to sign this audio
jar anyway. If you locally sign it with your own certificate then newer
versions of OSX won't trust it and popup a bunch of warnings.

And to get a java code signing certificate for your individual organization
costs $300 a year.
http://www.thawte.com/code-signing/content-signing-certificates/sun-java/index.html

So you're very likely, even building from source, to want to download a
version of this officially signed by  the Sakai foundation. There probably
should be something that does like you did, download the version that it
needs (like a samigo-audio deploy) and uses that always. It doesn't change
much, but because of problems in IE9, the version in Sakai 2.9 isn't
compatible with versions in 2.8 (and anything prior to this probably has
has an invalid or expired certificate anyway.

On Thu, Oct 4, 2012 at 7:16 PM, Steve Swinsburg
<steve.swinsburg at gmail.com>wrote:

> As a followup, I cleaned out my local repo, removed the samigo-audio
> module from the samigo pom so that it would force a download of the jar
> from the remote repo (where it IS signed), build and verified:
>
> [imac:~/.m2/repository/org/sakaiproject/samigo]$ find . -name
> samigo-audio-2.8.5.jar
> ./samigo-audio/2.8.5/samigo-audio-2.8.5.jar
> [imac:~/.m2/repository/org/sakaiproject/samigo]$ jarsigner -verify
> ./samigo-audio/2.8.5/samigo-audio-2.8.5.jar
> *jar verified.*
>
> So I'm thinking that we make the building of this module conditional on
> the release process, i.e. normal source deploys don't build it.
>
> WDYT?
>
> thanks,
> Steve
>
>
>
> On 05/10/2012, at 8:59 AM, Steve Swinsburg <steve.swinsburg at gmail.com>
> wrote:
>
> Hi all,
>
> I'm in a bit of a rush [1] so this may not make sense but I'm thinking we
> have an issue when people build Samigo from source because the samigo-audo
> jar doesn't get signed.
>
> Basically, the build for the release DOES get signed as part of the
> release process, but the profile doesn't get activated when people build it
> from source, AND the properties are missing that actually do the signing:
>
> in samigo-aduio/pom.xml:
>
> <id>jarsign</id>
>             <activation>
>                 <activeByDefault>false</activeByDefault>
>             </activation>
>
> and
>
>  <configuration>
>
> <keystore>${sakai.samigo-audio.jarsign.keystore.location}</keystore>
>
> <alias>${sakai.samigo-audio.jarsign.alias}</alias>
>
> <storepass>${sakai.samigo-audio.jarsign.password}</storepass>
>                             <verify>true</verify>
>                         </configuration>
>
> I had the same issue when doing the 2.8.2 release, and had to build Samigo
> in a special way:
>
>
> https://confluence.sakaiproject.org/display/~steve.swinsburg/sakai-2.8.2+release
> mvn2 release:clean release:prepare release:perform -P jarsign
> -Dsakai.samigo-audio.jarsign.keystore.location=/path/to/sakai.keystore
> -Dsakai.samigo-audio.jarsign.alias=ALIAS
> -Dsakai.samigo-audio.jarsign.password=PASSWORD
>
> but that obviously doesn't happen when you just do a mvn clean install
> sakai:deploy so one would assume that the jar isn't being signed.
>
> I verified this by checking out samigo 2.8.5 and building like anyone else
> would:
>
> svn co https://source.sakaiproject.org/svn//sam/tags/samigo-2.8.5/
> cd samigo-2.8.5/
> mvn clean install
> find . -name samigo-audio-2.8.5.jar
> (./samigo-audio/target/samigo-audio-2.8.5.jar)
> jarsigner -verify ./samigo-audio/target/samigo-audio-2.8.5.jar
>
> *jar is unsigned. (signatures missing or not parsable)*
>
> So, one would think that we don't build the samigo-audio module and have
> the build always pull the signed one from the repository?
>
> As mentioned previously, I may have misused something but would appreciate
> someone else checking this as well.
>
> cheers,
> Steve
>
>
> [1] You'll find out why soon enough.
>
>
>
> _______________________________________________
> cle-release-team mailing list
> cle-release-team at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/cle-release-team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/cle-release-team/attachments/20121004/f96773ae/attachment-0006.html 