Task #9302 (closed)
Opened 12 years ago
Closed 9 years ago
Doc. how to sign webstart jars
Reported by: | jamoore | Owned by: | spli |
---|---|---|---|
Priority: | minor | Milestone: | 5.1.0-m4 |
Component: | Documentation | Version: | 4.4.9 |
Keywords: | n.a. | Cc: | cxallan, cmacleod-x, jburel, spli |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
If possible we should have proper keys for the signed webstart jars. Alternatively, we should provide documentation on how sites can re-sign our jars so as to provide their users a trusted experience.
The related ant targets are:
<target name="keystore" depends="init" description="Create keystore"> <genkey alias="${jarsign.alias}" keystore="${jarsign.keystore}" storepass="${jarsign.storepass}" validity="${jarsign.validity}"> <dname> <param name="CN" value="omedev"/> <param name="OU" value="Open Microscopy Team"/> <param name="O" value="openmicroscopy.org"/> <param name="C" value="UK"/> </dname> </genkey> </target> <target name="server-verify"> <apply executable="jarsigner" failonerror="true"> <fileset dir="${dist.dir}/lib/server" includes="*.jar"/> <arg value="-verify"/> </apply> </target> <target name="webstart-sign"> <signjar alias="${jarsign.alias}" keystore="${jarsign.keystore}" storepass="${jarsign.storepass}" preservelastmodified="true"> <path> <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/> </path> </signjar> </target> <target name="webstart-verify"> <apply executable="jarsigner" failonerror="true"> <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/> <arg value="-verify"/> </apply> </target>
Change History (19)
comment:1 Changed 12 years ago by jmoore
- Component changed from Deployment to Documentation
- Priority changed from critical to major
comment:2 Changed 12 years ago by jmoore
- Summary changed from Proper webstart keys to Doc. how to sign webstart jars
comment:3 Changed 12 years ago by bpindelski
- Owner set to bpindelski
comment:4 Changed 12 years ago by bpindelski
Pushing to 4.4.1. For devs there is
./build.py webstart-sign -Djarsign.alias=myself -Djarsign.keystore=/usr/local/dev/my.jks -Djarsign.storepass=keypass
and for normal users who don't want to clone the repo, there is jarsigner.
We need to decide where to put the pages (one for devs, one for normal users). The signing has also be properly tested, as I discovered that after signing with my own self-signed cert, I was still getting the omedev one in the JAR properties.
comment:5 Changed 12 years ago by bpindelski
- Milestone changed from OMERO-4.4 to OMERO-4.4.1
- Sprint 2012-07-17 (19) deleted
comment:6 Changed 12 years ago by bpindelski
Blocked by #9370.
comment:7 Changed 12 years ago by bpindelski
- Milestone changed from OMERO-4.4.2 to OMERO-4.4.x
Pushing to 4.4.x. Still waiting for the resolution of #9370. Doc can be written using Sphinx, once we tackle the change from trac to Sphinx wrt. developer docs.
comment:8 Changed 11 years ago by bpindelski
- Priority changed from major to minor
comment:9 Changed 11 years ago by bpindelski
This ticket is probably worthy of a full story. One question raised is do we want to provide signing through bin/omero? The build.py approach doesn't fit in line with sysadmin docs...
comment:10 Changed 11 years ago by bpindelski
- Milestone OMERO-4.4.7 deleted
comment:11 Changed 10 years ago by spli
Note self-signed webstart jars are now blocked in Java 1.7.0_51, see #11772
comment:12 Changed 10 years ago by spli
- Cc spli added
- Version set to 4.4.9
comment:13 Changed 10 years ago by bpindelski
Adding the webstart source URL (i.e. howe) or lowering the security level in the Java control panel allows for running webstart. That's an interim solution.
comment:14 Changed 10 years ago by spli
- Milestone set to 5.0.0
If #11772 is fixed we might as well document it at the same time.
comment:15 Changed 10 years ago by bpindelski
- Owner changed from bpindelski to spli
comment:16 Changed 10 years ago by spli
- Milestone changed from 5.0.0 to 5.0.1
comment:17 Changed 10 years ago by spli
- Milestone changed from 5.0.1 to 5.0.2
comment:18 Changed 9 years ago by spli
comment:19 Changed 9 years ago by jamoore
- Resolution set to fixed
- Status changed from new to closed
Works for me.
As discussed in devteam with stick and chris, there's not really a good way for us to provide this service for the community at the moment. Instead, we should document how one would go about re-signing their own jars, and then it becomes their problem.