More webstart code-signing changes #2193
Conversation
We're going to be code-signing in a separate process, so this prevents jars being double-signed, once with the self-signed cert and once with a proper one. The webstart-sign target is still there, so you can use `./build.py webstart-sign release-webstart`.
manics
changed the title
manics
changed the title
|
I've not used that manifest field, so can't say much. Reading through the Java doc, it looks sensible to use it. |
|
The (now) unsigned Insight from gretzky doesn't work - the addition of |
|
I took Webstart hasn't worked for me for ages, I can revert |
|
I fully understand why you took out the Today I cannot run webstart from I'd suggest coordinating with the team, so that downtime for the deployed systems is minimal and so that we don't slow down the daily testing process. Summing up - changes here are OK and it's good to merge, but if I were in your place, I'd exclude this PR until the signing setup is in place and the switch can happen overnight. |
| @@ -1022,7 +1022,6 @@ omero.version=${omero.version} | |||
| </copy> | |||
| <copy file="components/insight/OUT/dist/omero.insight.jar" tofile="${dist.dir}/lib/insight/omero.insight.jar"/> | |||
| <copy file="components/insight/SRC/org/openmicroscopy/shoola/env/ui/graphx/omeabout-bk.png" tofile="${dist.dir}/lib/insight/ome.png"/> | |||
| <antcall target="webstart-sign" inheritAll="true" inheritRefs="true"/> | |||
There was a problem hiding this comment.
release-all will likely need to be updated with this change. What's the reasoning? Is this no longer supported?
There was a problem hiding this comment.
If we're going to do the signing in a separate process the jars will end up with two signatures (jarsign doesn't remove an existing one).
webstart-sign was only called from release-webstart, so I don't think release-all needs changing.
|
Another option would be to re-pack the jars into a single one during the external signing process, which would also get around the problems with timestamp server throttling. |
|
Labelled as |
|
@manics: no real objection to an |
|
As discussed on Friday I'll make the signing script run as part of the standard merge build, can someone remove the breaking label? |
|
Done |
Automatically run this script with the existing self-signed certificate as part of the standard docs/hudson/OMERO.sh build
|
Failed http://ci.openmicroscopy.org/job/OMERO-5.0-merge-daily/617/console. Excluding. |
|
|
|
Unexclude and rebuild gretzky at some point? |
|
Since Gretzky runs from dist (and not by deploying the OMERO.server-*.zip artifact) the deployed server isn't signed, so I've added |
|
@bpindelski Do you mind having a quick check of today's OMERO-5.0-merge server build? webstart should be using the original self-signed cert, but with |
|
@manics Webstart works fine today on gretzky, thanks. |
More webstart code-signing changes (merging for `5.0.1`)
|
--rebased-to #2238 |
|
--rebased-to #2321 |
Add a
Trusted-Onlyattribute to manifest. I think this helps avoids additional warnings in Insight webstart. When testing locally it didn't affect the running of the standard Insight client, but this should be tested more widely. Also disable automatic self-signing. See commit messages for more info.Testing: check insight still fully works. Check the unsigned server works. Then we can try signing webstart with the proper certificate and redeploying.
@bpindelski Do you know anything about the impact (good or bad) of
Trusted-Only?