|[cross-project-issues-dev] Deprecating the command line JAR signing service (aka /usr/bin/sign) - read if you use Buckminster|
Effective immediately, we are deprecating the usage the command line signing service (aka /usr/bin/sign).
Most certainly, this will only affect you if you use Buckminster as a build system (because Buckminster can only sign jars via /usr/bin/sign service). If you use Tycho, you're not concerned.
There are two strategies for Buckminster users:
1- Migrate to a modern / maintained build plugin system (see Buckminster's activity - https://projects.eclipse.org/projects/tools.buckminster). See Tycho documentation (https://wiki.eclipse.org/Tycho/Pack200#Pack200_and_Signing) and CBI Jarsigner Maven plugin (https://www.eclipse.org/cbi/maven-plugins/documentation/latest/eclipse-jarsigner-plugin/sign-mojo.html) for how to add jar signing to a Tycho build.
2- Deactivate signing in Buckminster and do the repacking and the signing phase as a post build step. You will need to do some shell scripting (in your CI instance) to browse all the jars, pack200/unpack200 them (aka repack) and then sign them. To sign a jar, you can use the webservice that the CBI maven plugin uses in the background (see the Jar signing web service documentation for details - https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service_.28Instant.29).
If option 2 is chosen and highly motivated, we can provide some assistance with the shell script (fill a bug under CBI/Signing-Service https://bugs.eclipse.org/bugs/enter_bug.cgi?product=CBI&component=signing-service).
I've updated our documentation (https://wiki.eclipse.org/IT_Infrastructure_Doc#Deprecated_-_ZIP_and_JAR_files_from_the_command_line_.28queued_or_not.29) to mention the deprecation. A bug has been created to keep track of the termination (https://bugs.eclipse.org/bugs/show_bug.cgi?id=521263).
Mikaël Barbero - Eclipse Foundation
IT Services - Release Engineering
📱 (+33) 642 028 039
Description: Message signed with OpenPGP
Back to the top