Hide Forgot
Date of First Response: 2010-02-16 10:49:04 project_key: SOA This is a task for RE: The final build needs a signed manifest file in the soa-5.0.0 .zip file that will be placed on the CSP, so customers can check the integrity and source of the SOA-P5 jars on a per-file basis.
Attachment: Added: domanifest.py
Attachment: Added: manifestverifier.py
Link: Added: This issue related JBQA-3167
Link: Added: This issue related BRMS-261
Code is now in our signing routine to produce the manifest file. Verifier to come.
Link: Added: This issue related JBQA-3975
Writer: Added: dlesage
It has been decided for now to keep the manifest file within the product zip. The MANIFEST.MF file will reside in a top level directory called Manifest. [12:37] <ldimaggi_> mschoene, tkirby remember the SOA-P 5.0 manifest files? Was this done as a stopgap measure as we were unable to sign all the jars? [12:38] <mschoene> ldimaggi_, yes, we wanted to have trusted checksum [12:38] <ldimaggi_> mschoene, tkirby what's the state of signing for 5.1? [12:39] <tkirby> tkirby, mschoene broken by the attempt to add a manifest :-) [12:40] <mschoene> tkirby, who is guilty , hen or egg ? [12:41] <jdc> mschoene: Dinsoaurs. [12:41] <mschoene> jdc, :) [12:41] <tkirby> mschoene, signing was working fine, but the manifest appeared in the top level, attempting to move this outside has caused problems so we can [12:42] <tkirby> mschoene, ldimaggi_ a) just sign [12:42] <tkirby> b) sign and have manifest in top level [12:42] <mschoene> tkirby, the signing process creates manifests too , btw [12:42] <tkirby> c) sign and have manifest seperate [12:42] <mschoene> tkirby, staying with b) is great [12:43] <tkirby> mschoene, ok because that is what we had [12:43] <tkirby> griz ping ^^^^^^^^^^ [12:45] <griz> tkirby: ok, I'll put it back to how it was. [12:45] <ldimaggi_> tkirby, griz mschoene great! [12:47] <tkirby> griz is it still in a meta-inf directory? [12:49] <griz> tkirby: I'd changed it to be a freestanding file in it's own zip. I'll take my changes out of the sign-unsigned-jars and then it'll be in the META-INF dir in the product zip. [12:49] <tkirby> griz can we rename that to Manifest? [12:49] <tkirby> griz or is that what you get given? [12:51] <ldimaggi_> tkirby, please put all this ^ into the JIRA - or we will forget it all [12:51] <griz> tkirby: A directory called Manifest in the prod zip containing a file called MANIFEST.MF? Sure. [12:51] <griz> ldimaggi_: will do. [12:51] <tkirby> mschoene, ^^^^ That OK with you? [12:54] <tkirby> griz unless mschoene objects go ahead with that, add the conversation to the Jiras [12:54] <griz> tkirby: will do. [12:54] <mschoene> tkirby, hmm, i am not sure i understand that entirely from the backlog , i'll comment in the jira [12:55] <tkirby> griz we may have a delay to the build so you probably have a day or so to revert it [12:55] <griz> tkirby: shouldn't take long to change and check [12:55] <tkirby> mschoene, the manifes will be call manifest.mf and will be in the top level of the zip under a dir called manifest [12:57] <griz> mschoene: hi. Just to make sure, The MANIFEST.MF will live in a directory called Manifest which will be a top level directory in the product zip. [12:58] <mschoene> griz, that sounds good to me, will that be in next ER? [12:58] <griz> mschoene: Yep. [13:00] <mschoene> griz, ok, then i'll have a look at that file too once available
Looks like everyone's happy now.
Temporarily reopening to update release note information.
Release Notes Docs Status: Added: Documented as Resolved Issue Release Notes Text: Added: https://issues.jboss.org/browse/SOA-1950 A signed manifest file has been added to the soa-5.1.0.zip archive that is available on the Customer Service Portal.. Customers should use this to check the integrity and source of the SOA-P5 jars on a per-file basis.