[cle-release-team] samigo-audio signing issue when building from source.

Steve Swinsburg steve.swinsburg at gmail.com
Thu Oct 4 16:44:43 PDT 2012 

Ok I've confirmed that removing this module from the build makes things behave correctly. It gets the correct signed jar from the remote repo and everything is happy with recording. 

Also resolves this issue:
https://jira.sakaiproject.org/browse/SAM-1783

 I'll file a Jira for a complete fix so that releases still activate the module.

cheers,
Steve

On 05/10/2012, at 9:21 AM, Matthew Jones <matthew at longsight.com> wrote:

> We've also found locally that you really don't ever want to sign this audio jar anyway. If you locally sign it with your own certificate then newer versions of OSX won't trust it and popup a bunch of warnings.
> 
> And to get a java code signing certificate for your individual organization costs $300 a year.
> http://www.thawte.com/code-signing/content-signing-certificates/sun-java/index.html
> 
> So you're very likely, even building from source, to want to download a version of this officially signed by  the Sakai foundation. There probably should be something that does like you did, download the version that it needs (like a samigo-audio deploy) and uses that always. It doesn't change much, but because of problems in IE9, the version in Sakai 2.9 isn't compatible with versions in 2.8 (and anything prior to this probably has has an invalid or expired certificate anyway.
> 
> On Thu, Oct 4, 2012 at 7:16 PM, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
> As a followup, I cleaned out my local repo, removed the samigo-audio module from the samigo pom so that it would force a download of the jar from the remote repo (where it IS signed), build and verified:
> 
> [imac:~/.m2/repository/org/sakaiproject/samigo]$ find . -name samigo-audio-2.8.5.jar
> ./samigo-audio/2.8.5/samigo-audio-2.8.5.jar
> [imac:~/.m2/repository/org/sakaiproject/samigo]$ jarsigner -verify ./samigo-audio/2.8.5/samigo-audio-2.8.5.jar
> jar verified.
> 
> So I'm thinking that we make the building of this module conditional on the release process, i.e. normal source deploys don't build it.
> 
> WDYT?
> 
> thanks,
> Steve
> 
> 
> 
> On 05/10/2012, at 8:59 AM, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
> 
>> Hi all,
>> 
>> I'm in a bit of a rush [1] so this may not make sense but I'm thinking we have an issue when people build Samigo from source because the samigo-audo jar doesn't get signed.
>> 
>> Basically, the build for the release DOES get signed as part of the release process, but the profile doesn't get activated when people build it from source, AND the properties are missing that actually do the signing:
>> 
>> in samigo-aduio/pom.xml:
>> 
>> <id>jarsign</id>
>>             <activation>
>>                 <activeByDefault>false</activeByDefault>
>>             </activation>
>> 
>> and 
>> 
>>  <configuration>
>>                             <keystore>${sakai.samigo-audio.jarsign.keystore.location}</keystore>
>>                             <alias>${sakai.samigo-audio.jarsign.alias}</alias>
>>                             <storepass>${sakai.samigo-audio.jarsign.password}</storepass>
>>                             <verify>true</verify>
>>                         </configuration>
>> 
>> I had the same issue when doing the 2.8.2 release, and had to build Samigo in a special way:
>> 
>> https://confluence.sakaiproject.org/display/~steve.swinsburg/sakai-2.8.2+release
>> mvn2 release:clean release:prepare release:perform -P jarsign -Dsakai.samigo-audio.jarsign.keystore.location=/path/to/sakai.keystore -Dsakai.samigo-audio.jarsign.alias=ALIAS -Dsakai.samigo-audio.jarsign.password=PASSWORD
>> 
>> but that obviously doesn't happen when you just do a mvn clean install sakai:deploy so one would assume that the jar isn't being signed.
>> 
>> I verified this by checking out samigo 2.8.5 and building like anyone else would:
>> 
>> svn co https://source.sakaiproject.org/svn//sam/tags/samigo-2.8.5/
>> cd samigo-2.8.5/
>> mvn clean install
>> find . -name samigo-audio-2.8.5.jar 
>> (./samigo-audio/target/samigo-audio-2.8.5.jar)
>> jarsigner -verify ./samigo-audio/target/samigo-audio-2.8.5.jar
>> 
>> jar is unsigned. (signatures missing or not parsable)
>> 
>> So, one would think that we don't build the samigo-audio module and have the build always pull the signed one from the repository?
>> 
>> As mentioned previously, I may have misused something but would appreciate someone else checking this as well.
>> 
>> cheers,
>> Steve
>> 
>> 
>> [1] You'll find out why soon enough.
> 
> 
> _______________________________________________
> cle-release-team mailing list
> cle-release-team at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/cle-release-team
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/cle-release-team/attachments/20121005/da13e5f7/attachment-0006.html

More information about the cle-release-team mailing list