| Signing the plugin content [message #1818421] |
Sun, 15 December 2019 14:49 |
 George Azzam
Messages: 1
Registered: December 2019 |
Junior Member |
|
|
Hello,
I am trying to sign a plugin, we go over all *.JAR file and sign each of them with jarsigner (JDK), all of the *.JAR files are signed OK according to the jarsigner (I run -verify to check that it is OK).
Then we upload all the content to an Amazon S3 folder, and the content of the folder looks like:
features -> (a folder)
plugins -> (a folder)
artifacts.jar
artifacts.xml
artifacts.xml.xz
content.jar
content.xml.xz
p2.index
And then when I try to install this plugin from Eclipse (using "Install New software"), I get this error:
An error occurred while collecting items to be installed
session context was:(profile=epp.package.java, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: org.eclipse.update.feature,org.whitesource.eclipse.feature,19.11.4.201912151353.
SHA-256 hash is not as expected. Expected: 3593f25c19615c2d681dd245fe8cdbbae3cef76233e0089fa6f81df32a814671 and found 58be674e271deb7dbcabe85b23fac56cdf77a3d9e3e945490c705e63f8852944.
Problems downloading artifact: osgi.bundle,org.whitesource.eclipse.plugin,19.11.4.201912151353.
SHA-256 hash is not as expected. Expected: 75f9982cce84645d31ceb3f50e48dd7656b3f160db8b5b9c214798c578fcfb3a and found 9d790bd3d3f2c210078ea940170a2dd5cd7435c135c9c0918423d89f6f3aff70.
But, when I remove the sign procedure and install the plugin, I get a warning and I can install it and it works OK, so I guess there is no issue in the plugin itself, the issue is in signing the JAR files.
My questions are:
1- Why the SHA-256 are different?
2- Where do the "expected SHA-256" and "found SHA-256" come from?
3- What is the correct way to sign JAR for Eclipse plugins in order to upload it to the Eclipse Marketplace?
4- Can we use our own purchased certificate ? or should we use Eclipse's public certificates?
5- Can we use "http://build.eclipse.org:31338/sign" ?
The description at https://wiki.eclipse.org/JAR_Signing is not very clear on how to sign the plugin.
This is the script that we use to sign the JARs:
# Here should be only 1 file
for file in ./site/features/*.jar; do
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass $file Server
echo "Verify sign"
jarsigner -verify $file
done
#
# Here should be only 1 file
for file in ./site/plugins/*.jar; do
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass $file Server
echo "Verify sign"
jarsigner -verify $file
done
#
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass ./site/artifacts.jar Server
echo "Verify sign - artifacts.jar"
jarsigner -verify ./site/artifacts.jar
#
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass ./site/content.jar Server
echo "Verify sign - content.jar"
jarsigner -verify ./site/content.jar
|
|
|
Powered by
FUDForum. Page generated in 0.04650 seconds
] 
Search
Help
Register
Login
Home
