New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insight manifest changes for webstart #11772 #2069
Conversation
Also added Codebase (currently * allows running from anaywhere) and Application-Name (displayed in the webstart dialog, instead of the user-unfriendly classname)
Two questions to think about while deploying this:
|
The only other option is |
The ant signjar task doesn't support -storepass:file. Note this no longer preserves the original file modification time.
Added default password file lib/keystore.passwd
Need to use -storepass:file
I've changed |
In general this works as expected. In particular, I do miss some output from the |
Also - this only works with |
I get a
I thought all our nodes use JDK7? |
I am not getting that output (Java 7u45). What's your JDK? Maybe I need to update to u51?
I think so too, but that would be a question to Kenny. |
Is there any use in keeping the old-style, ant-based commands for non-JDK7 users? |
I think the problem is that the |
Excluding. See http://ci.openmicroscopy.org/job/OMERO-5.0-merge-daily/570/ |
Gretzky is still running |
Restore old signjar/genkey tasks for Java<1.7 Use the new exec invocation with -storepass:file only if property jarsign.storepassfile is explcitly set
This reverts commit 94b0f13.
@sbesson @bpindelski This means a standard |
👍 unexcluding |
@manics Tested on Ubuntu with Oracle JDK 7u51. The |
Merging. If any performance issues are seen in the CI jobs we can come back to this. For all the jobs on the JDK6 nodes, we'll likely need to configure explicit use of the XXXX fake password (/cc @sbesson) |
Insight manifest changes for webstart #11772
--rebased-to #2121 |
Partial |
Add Permissions tag (required for webstart) and a couple others to the insight manifest.
Testing: not easy, you'll either need to create your own root CA, or use an existing one (the latter is probably better since it more closely reflects the situation if we obtain an official code-signing cert)... instructions below. At the very least non-webstart Insight should build and work normally.
Import the root CA certificate into the Java certificate store:
Open the Java Control Panel (via System Preferences on OS X), Security, Manage Certificates. Select Signer CA, User, Import, Select
/Volumes/ome/team/simon/code-signing/ca.p12
Now start the server and web, and attempt to launch Insight webstart. You should get one or more dialogs, they should show OMERO.Insight instead of an unfriendly classname and the Publisher should not be Unknown.
Note the code-signing certificate should not be imported, if the root CA has been imported and the jar signing succeeded there should be a certificate chain leading up to the root.
Timestamping uses http://time.certum.pl by default. It involves one request per signed jar, http://www.certum.eu/certum/cert,offer_time_stamp.xml (non-qualified) doesn't say anything about limits.
This of course assumes you haven't already added a workaround/exception for Java, if you're unsure try running webstart without this PR and/or without signing the jars and/or without importing the root CA, and compare the dialogs. On the latest Java (
1.7.0_51
) with default security settings you should not be allowed to run webstart at all without this PR and signing, on older versions you should get a warning.This will not work if the Java security settings have been changed to the highest level as there isn't an OCSP responder for checking whether the certificate has been revoked.
It's also worth seeing whether this can be built on one server and deployed on another.
Codebase=*
which in theory means it can run anywhere./cc @stick