[cross-project-issues-dev] Policy update on jar + pgp signing for SimRel

[Jonah Graham <jonah@xxxxxxxxxxxxxxxx>]

Hi folks,

A few years ago we started using GPG signing for third party bundles. The planning council recently approved an update allowing Eclipse Foundation projects to contribute their code to SimRel using only GPG signing. 

This change does not require any projects to change what they are doing today. This change will hopefully simplify releng for projects that want to only deal with one kind of signing in their builds. 

Full text quoted from policy:

Signing

All plug-ins contributed to SimRel must be signed with Eclipse Foundation provided keys. The signing can be completed with Jar Signing, or GPG signing, or both if desired.

Jar Signing

The Eclipse Foundation makes a centralized Eclipse Certificate available to all projects that can be used for Jar signing. The Jar signing can be done using the centralized Eclipse Certificate which is accessible using the Eclipse CBI Maven plug-in.

Jars should generally Jar signed only by their original creator and should not be re-signed by other projects.

GPG Signing

The Eclipse Foundation provides individual GPG keys for each project that allows projects to sign their deliverables, including Eclipse Plug-ins.

The signing can be done with the Tycho GPG plug-in. For details on obtaining GPG keys for your project see the IT Infrastructure section on GPG signing.

This is the main methodology to sign third-party content contributed to SimRel, but can be used for Eclipse content too. See the Eclipse Orbit project for more information about consuming third-party content in SimRel.

~~~
Jonah Graham (he/him)
Kichwa Coders
www.kichwacoders.com