codesigning

Codesigning is one of the worst issues we had been having since we started working on the new Opera for Mac. How Apple managed to screw this up never ceased to amaze us.

Since yesterday morning our build servers started to get CSSMERR_TP_NOT_TRUSTED error while code signing the Mac builds. Well, we didn’t notice until trying to release the new Opera Next build in the afternoon, which is obviously a bad timing. When it happened, immediate reaction was search for it in Google, unfortunately, when it happened words haven’t been spread yet so all results we got were from early 2009 ~ 2011, about some intermediate certificates missing, which completely mislead us. We spent a couple of hours inspecting certificates on all 3 of our Mac buildbot servers, none of them seemed wrong. One of my colleagues tried to resign a package locally with certificates/keys installed, got the same error as well.

Fortunately our build server didn’t get the same error every time so we managed to get a build for release.

When I later did a search for the same keyword but limit the results in last 24 hours, we finally found the real answer to the problem this time. According to this discussion:

Apple timestamp server(s) after all that is the problem here. If I add the --timestamp=none option, codesign always succeeds.

I have exactly the same problem. Probably Apple got two timeservers, with one broken, and a 50% chance for us to reach the working one.

And it worked for us perfectly as well. The only thing I didn’t know was whether it’s safe to release a build without requesting a timestamp (or where can we find other trusted timestamp servers).

This morning I woke up and saw this summary about yesterday’s incident.

According to Allan Odgaard (the author of TextMate):

As long as the key hasn’t expired, there should be no issue with shipping an app without a date stamp, and quite sure I have shipped a few builds without the signed date stamp.

That at least give us some confidence that if such incident happen again, it shouldn’t be a big issue to turn timestamp off.

Update: More explanations from Apple:

The point of cryptographic timestamps is to assist with situations where your key is compromised. You recover from key compromise by asking Apple to revoke your certificate, which will invalidate (as far as code signing and Gatekeeper are concerned) every signature ever made with it unless it has a cryptographic timestamp that proves it was made before you lost control of your key. Every signature that does not have such a timestamp will become invalid upon revocation.

vim-cocoa 0.3 beta 1 released

After two days of work, here is the first beta of the 0.3 series of vim-cocoa.

vim-cocoa 0.3b1 screenshot

What’s New?

  • Updated vim to 7.2.49
  • Use Core Text to replace ATSUI for text rendering
  • Optimize program startup
  • Support transparency option to control background transparency
  • Fix cursor redraw on right clicking
  • Fix CTRL + SHIFT + ? key handling ( Issue 35 )
  • Mac OS X 10.5 only (Since Core Text is a 10.5 only framework)

Download

View Source

终于用上实验室的打印机了

我们实验室的打印机是一台 HP LaserJet 1020,装在一台 Windows 2003 Server 上通过 Samba 共享的。我一直懒得了解 Mac 下怎么操作这台共享的打印机,所以有什么要打印的都是发给别人帮我打。

今天有空来试了一下解决这个问题。首先,打开 System Preferences 里的 Print & Fax,尝试添加打印机,结果发现 Windows 这里通过浏览工作组找不到打印机所在的那台计算机:

找不到打印机所在机器

怎么办呢,开始 google,找了一圈发现原来需要 Custom Toolbar 才能找到上图中那个 Advanced,提供原来 10.4 里 Printer Setup Utility 的功能,通过直接输入 IP 的方式来配置 Samba 共享的打印机。

因为头一次用,还专门用 smbclient //IP/PrinterName 试了一下确实可以连接。

另外打印的时候还是需要输入密码的,不过对于没有设置密码的共享,可以选 Guest。

配置好了,选择打印但是打印机还是没反应,怀疑是驱动不对,原先选的是 Generic PostScript 打印机的 PPD,可是 HP 压根没有提供给 LaserJet 1020 的官方 Mac 驱动… google 了一下,找到一个很不错的解决方案:foo2zjs — 这是一套开源的驱动,给 Linux 和 Mac OS X 提供了一些缺失的打印机支持,注意网上还能找到许多相关的讨论,和另一套 1022 的驱动据说也能用,可是似乎对于共享打印机不起作用。

按要求依次把驱动和其依赖的包装上之后,在 Driver 里选择 HP LaserJet 1020 Foomatic,终于成功打印,太感动了。

HP LaserJet 开源驱动

Chmox 的一些修正

Chmox 是 Mac OS X 上常用的 chm 阅读软件,它最后一个版本是 2006-10-28 发布的 0.4β,这也是它唯一的一个 Universal Binary 的版本,此后作者就再也没有过更新,因为我和许多 Mac 用户一样,为缺少好用的 chm 所困扰,所以便尝试来对此做一些修正。

主要的更新是参照 <a href="http://chmsee achat de viagra france.gro.clinux.org/”>ChmSee 的做法修正了一些编码判断的问题,包括目录的编码和显示内容的编码。欢迎对此有兴趣的朋友将 Chmox 无法打开或者打开错误的 chm 发给我 (当然,文件大小尽可能小),我会尽力修正的。

下面是最近的更新记录 (版本号延续作者原来的定义进行递增):

Chmox 0.4.2

更新:

- 修正某些 chm 文件无法正确载入页面的问题 (faithprice 报告)
- 没有目录时不打开 Drawer
- 提供简单的页内搜索功能

Chmox 0.4.1*

注: 版本号为我按照 http://chmox.sourceforge.net/ 原有版本更新
的,所以这不是官方版本号 (似乎作者本人已经停止维护了)。

更新:

- 更新到 chmlib 0.39
- 修正一些编译警告
- 使用 chm 文件自带的 LCID 信息来判断 CHM 目录的编码,修正在
  解析目录时的一些常见的编码判断错误

下载链接为: Chmox-0.4.2.zip

更新: 刚刚设立了一个 git 代码仓库,请用 git clone git://gitorious.org/chmox/mainline.git 获取最新代码,访问这里了解项目最新开发进度。