signjar which does more than one file and dependency checking

[Nick Fortescue <ni...@smartspread.com>]

There are two things we'd really like in the signjar task here

1) Being able to specify jars to sign in a fileset.
2) Checking the jars (maybe using jarsigner -verify) to see if the need
signing before signing them.

The reason for signing a bunch of jars at once is for a release script under
JavaWebStart. The reason for the verify is signing can be very slow, and
we'd rather not have it done if not necessary. If no-one else has done this
I'll write it myself, but if it's been done already I'd rather not duplicate
the the work.

While I'm at it, various messages in the archive mention an scp task. Is
there one available. exec doesn't work because of the lack of a controlling
shell. Or am I missing something?

Nick Fortescue

Re: [SUBMIT] signjar which does more than one file and dependency checking

[Nick Fortescue <ni...@smartspread.com>]

----- Original Message -----
From: "Peter Donald" <do...@apache.org>
> On Tue, 19 Jun 2001 20:53, Nick Fortescue wrote:
> >
> > To turn on the extra signing checking set the boolean attribute "lazy"
to
> > be true, it is false by default.
>
> okay. I am not sure I like the name of that attribute. Perhaps it should
be
> something like force="true" by default to align with other tasks naming
> conventions - what do you think? (Or maybe there is a better name
> check-dependecy="true" or similar?

I wasn't particularly happy with the "lazy" name either. Which tasks use
"force"? I had a quick browse through the other tasks to see if I could find
something analogous and couldn't. Anyway, I'm happy whatever it is.

Nick

Re: [SUBMIT] signjar which does more than one file and dependency checking

[Peter Donald <do...@apache.org>]

On Tue, 19 Jun 2001 20:53, Nick Fortescue wrote:

> OK, attached to this mail is the new code. It is backwards compatible with
> the old code in that anything that worked before should work exactly the
> same now. However, you can also add nested fileset elements to specify
> signing more than one jar with the same key.

excellent !

>
> To turn on the extra signing checking set the boolean attribute "lazy" to
> be true, it is false by default.

okay. I am not sure I like the name of that attribute. Perhaps it should be 
something like force="true" by default to align with other tasks naming 
conventions - what do you think? (Or maybe there is a better name 
check-dependecy="true" or similar?

> I think I got all the indentation correct, but it would be good if someone
> who has their editor set up to the apache way could check my tabs, as I'm
> one of those emacs users who gets horribly confused with changing tab-size,
> and don't want to lose my normal work coding standard settings. :-) 

Generally its a no tabs but 4 spaces indent policy. Luckily my emacs setting 
format buffer on load ;)

>Also, I
> didn't add any extra log messages as I'm not really familiar with the
> custom of how many log messages it is good to have. It might be I should
> have some more.

I am a less is more kinda person. We can leave it bare until someone requests 
more I guess ;)

Cheers,

Pete

*-----------------------------------------------------*
| "Faced with the choice between changing one's mind, |
| and proving that there is no need to do so - almost |
| everyone gets busy on the proof."                   |
|              - John Kenneth Galbraith               |
*-----------------------------------------------------*

[SUBMIT] signjar which does more than one file and dependency checking

[Nick Fortescue <ni...@smartspread.com>]

From: "Peter Donald" <do...@apache.org>
> On Mon, 18 Jun 2001 22:57, Nick Fortescue wrote:
> > I have written a class MySignJar which extends SignJar and adds the
> > features below.
> >
> > 1) You can specify jars to sign in a fileset.
> > 2) It looks in the jar file to see if an appropriate .SF file exists,
and
> > if it does assumes the jar has already been signed.
> >
> > I'm happy to send the code to the list and for others to use it, and for
> > the code to be included in the ant CVS. Is anyone interested? Would I be
> > better sending it as my class which extends through inheritance, a new
> > version of SignJar with the features added, of a diff of the new version
of
> > signjar?
>
> Probably best to send a new version of SignJar with features added. It
will
> need to keep the backwards compatability though so that existing signjar
> users aren't dismayed ;)

OK, attached to this mail is the new code. It is backwards compatible with
the old code in that anything that worked before should work exactly the
same now. However, you can also add nested fileset elements to specify
signing more than one jar with the same key.

To turn on the extra signing checking set the boolean attribute "lazy" to be
true, it is false by default.

I think I got all the indentation correct, but it would be good if someone
who has their editor set up to the apache way could check my tabs, as I'm
one of those emacs users who gets horribly confused with changing tab-size,
and don't want to lose my normal work coding standard settings. :-) Also, I
didn't add any extra log messages as I'm not really familiar with the custom
of how many log messages it is good to have. It might be I should have some
more.

Nick

Re: signjar which does more than one file and dependency checking

[Peter Donald <do...@apache.org>]

On Mon, 18 Jun 2001 22:57, Nick Fortescue wrote:
> I have written a class MySignJar which extends SignJar and adds the
> features below.
>
> 1) You can specify jars to sign in a fileset.
> 2) It looks in the jar file to see if an appropriate .SF file exists, and
> if it does assumes the jar has already been signed.
>
> I'm happy to send the code to the list and for others to use it, and for
> the code to be included in the ant CVS. Is anyone interested? Would I be
> better sending it as my class which extends through inheritance, a new
> version of SignJar with the features added, of a diff of the new version of
> signjar?

Probably best to send a new version of SignJar with features added. It will 
need to keep the backwards compatability though so that existing signjar 
users aren't dismayed ;)

Cheers,

Pete

*-----------------------------------------------------*
| "Faced with the choice between changing one's mind, |
| and proving that there is no need to do so - almost |
| everyone gets busy on the proof."                   |
|              - John Kenneth Galbraith               |
*-----------------------------------------------------*

Re: signjar which does more than one file and dependency checking

[Nick Fortescue <ni...@smartspread.com>]

I have written a class MySignJar which extends SignJar and adds the features
below.

1) You can specify jars to sign in a fileset.
2) It looks in the jar file to see if an appropriate .SF file exists, and if
it does assumes the jar has already been signed.

I'm happy to send the code to the list and for others to use it, and for the
code to be included in the ant CVS. Is anyone interested? Would I be better
sending it as my class which extends through inheritance, a new version of
SignJar with the features added, of a diff of the new version of signjar?

Nick Fortescue

> At 01:50 PM 6/14/01 +0100, Nick Fortescue wrote:
> >There are two things we'd really like in the signjar task here
> >
> >1) Being able to specify jars to sign in a fileset.
> >2) Checking the jars (maybe using jarsigner -verify) to see if the need
> >signing before signing them.

Re: signjar which does more than one file and dependency checking

[Peter Donald <do...@apache.org>]

At 01:50 PM 6/14/01 +0100, Nick Fortescue wrote:
>There are two things we'd really like in the signjar task here
>
>1) Being able to specify jars to sign in a fileset.
>2) Checking the jars (maybe using jarsigner -verify) to see if the need
>signing before signing them.
>
>The reason for signing a bunch of jars at once is for a release script under
>JavaWebStart. The reason for the verify is signing can be very slow, and
>we'd rather not have it done if not necessary. If no-one else has done this
>I'll write it myself, but if it's been done already I'd rather not duplicate
>the the work.

I don't have the source with me at the moment but there are two file
attributes to task. One is "source" jar and one is "destination" jar (ie
post signing). If you do not specify destination then it is assumed
destination == source. However if you do specify destination then the task
will check if destination exists and if it is newer than source destination
and key. If it is newer then the task doesn't run else it does run.

If you can think of a better way of verifying it has been signed that is
low cost - feel free to implement it. If you were to implement fileset
signing you would also have to integrate this dependency testing aswell.

>While I'm at it, various messages in the archive mention an scp task. Is
>there one available. exec doesn't work because of the lack of a controlling
>shell. Or am I missing something?

Do you mean that scp does not work because you can't specify password? If
so then it may be useful to use the public keypairs facility and start
agent before running task. Thats about only safe solution I can think of.


>
>Nick Fortescue
>
>
Cheers,

Pete

*-----------------------------------------------------*
| "Faced with the choice between changing one's mind, |
| and proving that there is no need to do so - almost |
| everyone gets busy on the proof."                   |
|              - John Kenneth Galbraith               |
*-----------------------------------------------------*