which is nice (and should be independent where you build it on, linux or windows)
<plugin>
<groupId>net.jsign</groupId>
<artifactId>jsign-maven-plugin</artifactId>
<version>3.0</version>
<executions>
<execution>
<goals>
<goal>sign</goal>
</goals>
<phase>package</phase>
<configuration>
<file>${project.build.directory}/products/servoy.product/win32/win32/x86_64/servoy.exe</file>
<name>Servoy</name>
<url>
http://servoy.com</url>
<keystore>${jarsigner.keystore}</keystore>
<alias>${jarsigner.alias}</alias>
<storepass>${jarsigner.storepass}</storepass>
<tsaurl>${jarsigner.tsa}</tsaurl>
</configuration>
</execution>
</executions>
</plugin>
problem is when should that run?
If i could get the right moment to sign that file (i am searching for that also)
then still i think thats only the installation the full product that is then signed
But that the dir: com.servoy.eclipse.product\target\repository\binary
that i use as our p2 repository for updating stuff i think have then executable that are not signed by our certificate. So if somebody does an update and the exe file is updated (i think that happens right?) that has to come from there. but how is that signed?
do i need to try to sign this file as soon as possible?
target\org.eclipse.equinox.executable-3.8.600.v20191014-2025\bin\win32\win32\x86_64\launcher.exe
what is the source of everything that makes the repo and then makes the product out of that repo?
--
