Saturday Apr 25, 2009
Sometimes I browse through archives of a mail list and find some topics very interesting. I subscribe it, but only new messages come to my mail client, and those topics I found interesting initially won't appear anymore. How I wish I can reply to those topics.
If it's also hosted on Google Groups, that's great. Just reply to it there. If you don't want to keep using your Google Account in the discussion. Reply with some nonsense in Google Groups, and then reply with your real identity after that nonsense reaches your mail box.
If the list is available on gmane.org, you may be able to reply from there.
If the above two methods do not apply, you can still force that mail appear in your mailbox. Just create a mbox file and import it into your mail client. If the mail list is not that busy, I would simply download the archive including the topic, gunzip it, and import the archive. Note that some archive changes the mail address to me at here.com. Just run a perl -p -i -e 's/ at /@/g' file is OK.
Wednesday Apr 22, 2009
Trying to install it again. Last time (probably F8) it does not support GUI login as a NIS user. GDM hangs.
Hope it's fine now. Will see if it's a better system building OpenJDK.
Update: NIS account can login, no +::: lines needed. However, system goes unstable when trying to change network setting to manual IP. Re grub-install and now back in Ubuntu.
Anyway, OS is there now, might try again someday.
Monday Apr 20, 2009
There're several enhancements to the jarsigner tool in OpenJDK lately.
First, jarsigner accepts a new option -certchain file to use a certificate chain in an external file. People can using PKCS #11 tokens to store their private keys. Some of these tokens are so small that there's no place to store the certificate chain inside it. Although you can access it with a KeyStore.getInstance("pkcs11"), the getCertificateChain() method returns nothing. Now you can use jarsigner with this kind of tokens, using the token as the keystore, but point your certchain to another file that contains the full chain.
Second, people see jarsigner showing warnings now and then, like certificate expired, or keyusage not correct. if they want to know this information if jarsigner is called in a script, they can only grep the words. Now, if you add a new option -strict, not only the warnings will be printed, a System.exit(n) is called when there is/are warning(s). Here, n is a binary sum of these pre-defined warning codes:
- 2: hasExpiringCert
- 4: chainNotValidated (including hasExpiredCert, notYetValidCert)
- 8: Usages problems (including badKeyUsage, badExtendedKeyUsage, badNetscapeCertType)
- 16: hasUnsignedEntry
- 32: notSignedByAlias or aliasNotInStore
Noticed the new warning type notSignedByAlias? Now you can call
jarsigner -verify jarfile alias0 alias1... with zero+ of aliases to check if certificates of the signed entries inside the file match any of these aliases.
Third, people complain jarfiles show too little or too much output at verifying. If you simply verify a jarfile, it might tell you
some warnings, call with -verbose -certs to read details. You verify again with those two options on, and huala... thousands of lines fly through and you cannot catch a word. Now
-verbose has sub options so you can precisely tell it how verbose the output should be:
- -verbose:all, this is the default -verbose, which shows as much information as it did
- -verbose:grouped, this shows less information. The entries with the same signer info are grouped together. This means the names of the entries are listed together, with the signer info only printed once. Something like this:
smk A.class
smk B.class
...
Certificate A (CN=A, OU=B)
- -verbose:summary. This is the simplest one. Besides grouping the entries with same signer info together, not all the entry names are printed, but only one line of summary. Something like this:
smk A.class (and N-1 more)
Certificate A (CN=A, OU=B)
Using this option, unless your jar file is signed by dozens of different signers, no matter how many entries inside, the output should not exceeds two screens.
|
|
|
|
who are you?
go read the first post of this blog. who are you?