Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #9302 (closed)

Opened 12 years ago

Closed 9 years ago

Doc. how to sign webstart jars

Reported by: jamoore Owned by: spli
Priority: minor Milestone: 5.1.0-m4
Component: Documentation Version: 4.4.9
Keywords: n.a. Cc: cxallan, cmacleod-x, jburel, spli
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

If possible we should have proper keys for the signed webstart jars. Alternatively, we should provide documentation on how sites can re-sign our jars so as to provide their users a trusted experience.

The related ant targets are:

    <target name="keystore" depends="init" description="Create keystore">
        <genkey alias="${jarsign.alias}"
            keystore="${jarsign.keystore}"
            storepass="${jarsign.storepass}"
            validity="${jarsign.validity}">
            <dname>
                <param name="CN" value="omedev"/>
                <param name="OU" value="Open Microscopy Team"/>
                <param name="O"  value="openmicroscopy.org"/>
                <param name="C"  value="UK"/>
            </dname>
        </genkey>
    </target>

    <target name="server-verify">
        <apply  executable="jarsigner" failonerror="true">
            <fileset dir="${dist.dir}/lib/server" includes="*.jar"/>
            <arg value="-verify"/>
        </apply>
    </target>

    <target name="webstart-sign">
        <signjar alias="${jarsign.alias}" keystore="${jarsign.keystore}" storepass="${jarsign.storepass}" preservelastmodified="true">
            <path>
                <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/>
            </path>
        </signjar>
    </target>

    <target name="webstart-verify">
        <apply  executable="jarsigner" failonerror="true">
            <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/>
            <arg value="-verify"/>
        </apply>
    </target>

Change History (19)

comment:1 Changed 12 years ago by jmoore

  • Component changed from Deployment to Documentation
  • Priority changed from critical to major

As discussed in devteam with stick and chris, there's not really a good way for us to provide this service for the community at the moment. Instead, we should document how one would go about re-signing their own jars, and then it becomes their problem.

comment:2 Changed 12 years ago by jmoore

  • Summary changed from Proper webstart keys to Doc. how to sign webstart jars

comment:3 Changed 12 years ago by bpindelski

  • Owner set to bpindelski

comment:4 Changed 12 years ago by bpindelski

Pushing to 4.4.1. For devs there is

./build.py webstart-sign -Djarsign.alias=myself -Djarsign.keystore=/usr/local/dev/my.jks -Djarsign.storepass=keypass

and for normal users who don't want to clone the repo, there is jarsigner.

We need to decide where to put the pages (one for devs, one for normal users). The signing has also be properly tested, as I discovered that after signing with my own self-signed cert, I was still getting the omedev one in the JAR properties.

comment:5 Changed 12 years ago by bpindelski

  • Milestone changed from OMERO-4.4 to OMERO-4.4.1
  • Sprint 2012-07-17 (19) deleted

comment:6 Changed 12 years ago by bpindelski

Blocked by #9370.

comment:7 Changed 12 years ago by bpindelski

  • Milestone changed from OMERO-4.4.2 to OMERO-4.4.x

Pushing to 4.4.x. Still waiting for the resolution of #9370. Doc can be written using Sphinx, once we tackle the change from trac to Sphinx wrt. developer docs.

comment:8 Changed 11 years ago by bpindelski

  • Priority changed from major to minor

comment:9 Changed 11 years ago by bpindelski

This ticket is probably worthy of a full story. One question raised is do we want to provide signing through bin/omero? The build.py approach doesn't fit in line with sysadmin docs...

comment:10 Changed 11 years ago by bpindelski

  • Milestone OMERO-4.4.7 deleted

comment:11 Changed 10 years ago by spli

Note self-signed webstart jars are now blocked in Java 1.7.0_51, see #11772

comment:12 Changed 10 years ago by spli

  • Cc spli added
  • Version set to 4.4.9

comment:13 Changed 10 years ago by bpindelski

Adding the webstart source URL (i.e. howe) or lowering the security level in the Java control panel allows for running webstart. That's an interim solution.

comment:14 Changed 10 years ago by spli

  • Milestone set to 5.0.0

If #11772 is fixed we might as well document it at the same time.

comment:15 Changed 10 years ago by bpindelski

  • Owner changed from bpindelski to spli

comment:16 Changed 10 years ago by spli

  • Milestone changed from 5.0.0 to 5.0.1

comment:17 Changed 10 years ago by spli

  • Milestone changed from 5.0.1 to 5.0.2

comment:19 Changed 9 years ago by jamoore

  • Resolution set to fixed
  • Status changed from new to closed

Works for me.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.98911 sec.)

We're Hiring!