Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] CBI Maven plugins 1.1.3-SNAPSHOT

Hi Mikael,

I am very excited about the digestAlgorithm option because I hope it can be the solution for Eclipse Bug 378155 [1]. The issue is that the plugins which are signed with the eclipse-jarsigner-plugin cannot be installed on Eclipse Indigo and earlier. I tried to use the TestServer to see if I can sign the plugins with SHA-1 so they can be successfully installed on Eclipse Indigo, but I've hit some roadblocks.

1. The full qualified class name must be provided in the command, i.e. org.eclipse.cbi.webservice.signing.jar.TestServer. This was easy to resolve.

2. I get a NullPointerException when starting the Test Server. I looked at the source code to find that this is due to missing HTTP_PROXY environment variable on my system. My system has a direct Internet connection, so it does not make sense to define such variables. I had to checkout the code, comment some lines and run it from Eclipse to resolve this issue.

3. The signing with the Test Server is very slow. It takes around a minute to sign a single jar file. My CPU is not utilized at all. I have no solution for this.

4. I tried using the SHA_1 digest algorithm, but the result is not the same as the JAR being signed with Java 6. I have "SHA-1-Digest" headers in he MANIFEST.MF file instead of "SHA1-Digest". Note the extra dash. So, the installation of these plugins on Eclipse Indigo is still not successful. I did not find a valid configuration for the digestAlgorithm option to get the correct "SHA1-Digest" header. I tried with SHA1, but I got an error that it is not a valid value.

I hope you can give me some hints how I can use version 1.1.3-SNAPSHOT to sign the plugins in a way that they can be installed successfully on Eclipse Indigo.



On Tue, Oct 20, 2015 at 1:36 PM, Mikael Barbero <mikael@xxxxxxxxxxx> wrote:

I just released version 1.1.3-SNAPSHOT of CBI maven plugins. Please give it a try. You should only need to change the version from whatever you use to 1.1.3-SNAPSHOT. Here is the list of changes:

* A lot of things have changed under the hood to provide better reliability and the plugins are now extensively tested. 

* A new plugin has appeared ( thanks to Pascal Rapicault: the dmg packager. It gives you the possibility to package an OS X application as a DMG (Apple's .msi equivalent). Please note that this plugin is still in beta-stage, but feedback is more than welcome!

* Two new options has been added to the jarsigner plugin (to fix

* Non qualified properties (e.g. -DcontinueOnFail) have been deprecated in favor of qualified properties (-D cbi.jarsigner.continueOnFail) to avoid collision with other plugins. Non qualified properties are still supported, but they are implemented by parameter starting with "deprecated". It should not changed anything for people who don't use user properties (i.e. '-D' on the maven command line). If you do, you will see a deprecation warning.

* Staging documentation is available here You will see that documentation for a low-level plugin is now available (

* A standalone test server is available to help people debug jar signing locally, without the need to run builds on the Eclipse servers. Just download and (or more recent) and run the following command

java -cp /path/where/you/download/the/jars/jar-signing-service-1.0.0-20151020.095931-22.jar:/path/where/you/download/the/jars/jar-signing-service-1.0.0-20151020.095931-22-tests.jar: TestServer

It will print an URL (like http://localhost:3138/jarsigner) that you can add to your maven build (-Dcbi.jarsigner.signerUrl=http://localhost:3138/jarsigner) and it will sign your jars locally with a dummy certificate. You can pass --help to see the options you can give to the TestServer


cross-project-issues-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top