Hi
Fred,
JAR
signing of the bundles and GPG-signing of the Maven artifacts
are two different steps. Once a jar has been "jar-signed", you
may or may not GPG sign the corresponding Maven artifact (.jar
+ .pom file) so as it can be deployed on Central. As you
hinted, JAR signing has to be done before the GPG signing, since doing it the
other way around would break the GPG signature.
So
you first have to sign your org.eclipse.m2e.workspace.cli JAR
file with the Eclipse Fdn certificate, either using the Maven
plugin from CBI, the command line utility, or the signing web
service – see [1].
Once
you have your signed JAR, you can GPG sign it and stage it on
Central like this:
mvn gpg:sign-and-deploy-file
>
-DpomFile=target/myapp-1.0.pom
> -Dfile=target/myapp-1.0.jar
> -DrepositoryId=sonatype_oss
I
hope this helps. FWIW we are trying to improve our GPG signing
story and provide more guidance to projects regarding GPG in
general so stay tuned…
Hope this helps!
Benjamin Cabé
Eclipse Foundation
+33 (0) 619196101
Hi,
Do you have any recommended strategy to make both
Central and Eclipse happy, signature-wise? Won't signing a
jar break the 1st signature?
Yes this is totally not my area of expertise :-)
Fred
--
"Have you tried turning it
off and on again" - The IT Crowd
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev