Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] Question about signing and keystore management

Le 2 oct. 2015 à 09:38, Andreas Sewe <andreas.sewe@xxxxxxxxxxxxxx> a écrit :

Hi Aleksandar,

I was wondering, do you sign your plugins and how do you manage your
keystores containing the certificates?

well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)

Of course with this solution, you need to protect the access to the webservice, otherwise anybody can sign jars with the certificate. We achieve that by keeping it behind our firewall, and only machines from the same origin can call it. 

Feel free to ask question on cbi-dev@xxxxxxxxxxx if you need help with these.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Back to the top