Doc. how to sign webstart jars

[jamoore]

If possible we should have proper keys for the signed webstart jars. Alternatively, we should provide documentation on how sites can re-sign our jars so as to provide their users a trusted experience.

The related ant targets are:

    <target name="keystore" depends="init" description="Create keystore">
        <genkey alias="${jarsign.alias}"
            keystore="${jarsign.keystore}"
            storepass="${jarsign.storepass}"
            validity="${jarsign.validity}">
            <dname>
                <param name="CN" value="omedev"/>
                <param name="OU" value="Open Microscopy Team"/>
                <param name="O"  value="openmicroscopy.org"/>
                <param name="C"  value="UK"/>
            </dname>
        </genkey>
    </target>

    <target name="server-verify">
        <apply  executable="jarsigner" failonerror="true">
            <fileset dir="${dist.dir}/lib/server" includes="*.jar"/>
            <arg value="-verify"/>
        </apply>
    </target>

    <target name="webstart-sign">
        <signjar alias="${jarsign.alias}" keystore="${jarsign.keystore}" storepass="${jarsign.storepass}" preservelastmodified="true">
            <path>
                <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/>
            </path>
        </signjar>
    </target>

    <target name="webstart-verify">
        <apply  executable="jarsigner" failonerror="true">
            <fileset dir="${dist.dir}/lib/insight" includes="*.jar"/>
            <arg value="-verify"/>
        </apply>
    </target>

[jmoore]

As discussed in devteam with stick and chris, there's not really a good way for us to provide this service for the community at the moment. Instead, we should document how one would go about re-signing their own jars, and then it becomes their problem.

[bpindelski]

Pushing to 4.4.1. For devs there is

./build.py webstart-sign -Djarsign.alias=myself -Djarsign.keystore=/usr/local/dev/my.jks -Djarsign.storepass=keypass

and for normal users who don't want to clone the repo, there is jarsigner.

We need to decide where to put the pages (one for devs, one for normal users). The signing has also be properly tested, as I discovered that after signing with my own self-signed cert, I was still getting the omedev one in the JAR properties.

[bpindelski]

Blocked by #9370.

[bpindelski]

Pushing to 4.4.x. Still waiting for the resolution of #9370. Doc can be written using Sphinx, once we tackle the change from trac to Sphinx wrt. developer docs.

[bpindelski]

This ticket is probably worthy of a full story. One question raised is do we want to provide signing through bin/omero? The build.py approach doesn't fit in line with sysadmin docs...

[spli]

Note self-signed webstart jars are now blocked in Java 1.7.0_51, see #11772

[bpindelski]

Adding the webstart source URL (i.e. howe) or lowering the security level in the Java control panel allows for running webstart. That's an interim solution.

[spli]

If #11772 is fixed we might as well document it at the same time.

[spli]

Will this do?
​https://www.openmicroscopy.org/site/support/omero5/sysadmins/server-webstart-codesigning.html?highlight=sign#code-signing-your-own-server

[jamoore]

Works for me.