Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Any pointers on how to Eclipse-sign AND GPG-sign a jar?

Hi Fred,

JAR signing of the bundles and GPG-signing of the Maven artifacts are two different steps. Once a jar has been "jar-signed", you may or may not GPG sign the corresponding Maven artifact (.jar + .pom file) so as it can be deployed on Central. As you hinted, JAR signing has to be done before the GPG signing, since doing it the other way around would break the GPG signature.

So you first have to sign your org.eclipse.m2e.workspace.cli JAR file with the Eclipse Fdn certificate, either using the Maven plugin from CBI, the command line utility, or the signing web service – see [1]. 
Once you have your signed JAR, you can GPG sign it and stage it on Central like this:
 mvn gpg:sign-and-deploy-file
> -DpomFile=target/myapp-1.0.pom
> -Dfile=target/myapp-1.0.jar
> -Durl=
> -DrepositoryId=sonatype_oss

I hope this helps. FWIW we are trying to improve our GPG signing story and provide more guidance to projects regarding GPG in general so stay tuned… 

Hope this helps!

Benjamin Cabé

Eclipse Foundation
+33 (0) 619196101


De : Fred Bricon <fbricon@xxxxxxxxx>
Répondre à : Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Date : vendredi 16 janvier 2015 19:04
À : Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Objet : [cross-project-issues-dev] Any pointers on how to Eclipse-sign AND GPG-sign a jar?


m2e depends on a jar ( that is deployed on Maven Central. The problem is, it's GPG signed on a non-Eclipse server in order to be able to be deployed on Central, but that means it doesn't have the Eclipse signature. As a result, Eclipse complains about unsigned jar while installing m2e.

Do you have any recommended strategy to make both Central and Eclipse happy, signature-wise? Won't signing a jar break the 1st signature?

Yes this is totally not my area of expertise :-)


"Have you tried turning it off and on again" - The IT Crowd
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top