Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-dev] Processing artifacts from a p2 update site generated by an eclipse-repository module

I don't have a running build with code signing myself but I know the eclipse platform build does using eclipse-jarsigner-plugin.
AFAIK they sign individal jars for each plugin/feature by replacing them in the corresponding target/ folder.

Perhaps looking at

could help. Or try to contact cbi-dev@xxxxxxxxxxx


On 22.06.17, 17:42, "tycho-dev-bounces@xxxxxxxxxxx on behalf of Robert Munteanu" <tycho-dev-bounces@xxxxxxxxxxx on behalf of robert.munteanu@xxxxxxxxx> wrote:


I am trying to get code signing to work with Tycho. I am required to
use a third-party code signing service, which expects me to upload
multiple jar files and in return will give me the signed files.

My first attempt was to write a small Maven plug-in which does just
that and configure it in my eclipse-repository module. However, I
can't insert it in the right point. I would assume this would be
between default-assemble-repository and default-archive-repository, so
that the plug-ins are located under target/repository/plugins but the
metadata is not yet generated. prepare-package is too early, package
is too late.

My second attempt was to manually perform the code signing and replace
the files. However, according to [1] this is not a safe approach.

Third attempt is to locate the reactor dependencies at runtime and
sign those artifacts. WIth a snippet like

            for (Artifact dep : project.getDependencyArtifacts() ) {
                getLog().info("Found dependency " + dep + " at " +

I would only get the eclipse-feature dependencies from the reactor,
and dep.getFile() returns null.

At this point I'm out of ideas.

How can I process the artifacts included in an eclipse-repository
before the packaging occurs?



(Please keep me on CC, I'm not subscribed to this list)


tycho-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top