[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14
|
Sravan,
What is the relationship between this part:
https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187
versus this part:
https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187
One gets the impression that rt.exe is signed twice: once with
ant and once with Tycho/CBI.
Also, it's been my experience that the eclipsec.exe, which is not
renamed as part of branding, doesn't actually work because it
doesn't find the branded *.ini. Others appear to have this
experience as well.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=332714#c7
So when I redesigned the Oomph build to make better use of Tycho,
I now rename the eclipsec.exe to eclipse-instc.exe (using
exec-maven-plugin to run bash) and sign that with Tycho/CBI. (It
would seem better if p2 actually did this properly but it just
copies eclipsec.exe and that's just garbage/noise when the
executable has a branded name.)
If the executables that are copied (materialized) to the product
are already signed (where exactly do those come from?), do you
know if signing them again removes the old signature or just adds
a new signature? Looking at the properties, I only see one
signature on eclipse-inst.exe and eclipse-instc.exe. (The pom
you point at is for the starterkit product, so that's not really
the source of the launcher executables used by products I think.)
Regards,
Ed
On 27.08.2020 07:07, Sravan K
Lakkimsetti wrote:
Hi Ed,
We are signing equinox executables as well
from 4.17 release. See https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml
Thanks
Sravan
I am under the impression that the signing does happen while
building a product assuming of course you have the pom.xml
configured to do that. I see this in my logs:
[INFO] --- eclipse-winsigner-plugin:1.1.8-SNAPSHOT:sign (installer-executables) @ org.eclipse.oomph.setup.installer.product ---
[INFO] [Tue Aug 25 23:23:11 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:12 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:18 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:21 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:24 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:27 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-instc.exe'
I configure that like this:
<groupId>org.eclipse.cbi.maven.plugins</groupId>
<artifactId>eclipse-winsigner-plugin</artifactId>
<version>${jarsigner-version}</version>
<executions>
<execution>
<id>installer-executables</id>
<goals>
<goal>sign</goal>
</goals>
<phase>package</phase>
<configuration>
<fileNames>
<fileName>eclipse-instc.exe</fileName>
<fileName>eclipse-inst.exe</fileName>
</fileNames>
</configuration>
</execution>
The platform does such signing as well
using this same approach.
I think the Equinox launcher executables
are not already signed.
On 26.08.2020 12:54, Christoph Läubrich
wrote:
The icon replacement takes place in P2,
even though Tycho calls P2 here.
The only solution IMO would be if eclipse would publish a
signed and an unsigned executable with different updatesite
and/or features.
Another approach would be to remove the signature after the
build and add a new one then.
Am 26.08.20 um 12:49 schrieb Martin Lippert:
Hey
Michael,
in our case, when building a product with tycho that has
custom branding, tycho will modify the windows executable
to update the icons which are included in the executable.
So strictly speaking tycho modifies the executable as part
of the build process (in this case) and leaves the
old (now invalid) signature on the executable.
I might be missing a piece here, but that is at least what
we experienced for our product builds for Windows.
Cheers
Martin
On Tue, Aug 25, 2020 at 9:00 AM Keppler Michael
(ETAS/ESW-CI) <Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>>
wrote:
Hi Ramesh,
Please make your process people aware that re-signing
already signed
(and not modified) executables is wrong. I had a hard
time doing
that in our department, since it enforced the same
wrong policy, but
we managed to change it.
If you include some Visual Studio runtime
redistributables from
Microsoft, you also don't re-sign all these included
DLLs to
override the Microsoft signature with a Bosch
signature, right? And
that's exactly the same for the eclipse executable.
Signatures are for expressing the origin of some
executable, and the
eclipse.exe is not created by Bosch. Signatures are
NOT meant to
say, that Bosch has approved/scanned for viruses or
whatever else.
Mit freundlichen Grüßen / Best regards
Michael Keppler
LTO Release Engineering (ETAS/ESW-CI)
Tel. +49 711 3423-2429 | Fax +49 711 89661-0 |
Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>
-----Ursprüngliche Nachricht-----
Von: tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>
<tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>>
Im Auftrag von Sathish
Kumar Maheshwaran (RBEI/EMT1)
Gesendet: Mittwoch, 19. August 2020 09:18
An: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Cc: Narayana Swamy Ramesh (RBEI/EMT1)
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Betreff: Re: [tycho-user] tycho-user Digest, Vol 120,
Issue 14
Thank you for the quick responses.
Let me elaborate on the problem we are facing.
Our problem is we do not want eclipse to sign the
executable. With
earlier version of eclipse (V4.8) the executable
generated out of
the materialized products did not have a signature
from Eclipse.
But when we try building using eclipse (V4.14) the
executable
generated has a signature from Eclipse.
We have our own product team which applies our
company's signature
on the EXE. Since the executable is already signed by
Eclipse our
signing process fails.
So we are looking at a goal or a setting in tycho
which will
instruct the p2 director plugin to skip the eclipse
signing process.
We have raised an Eclipse bug regarding that here:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=565937
We have also posted our question in stack overflow :
https://stackoverflow.com/questions/63326750/remove-digital-signature-from-generated-rcps-exe
Mit freundlichen Grüßen / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049
Stuttgart | GERMANY |
www.bosch.com
<http://www.bosch.com>
Tel. +91 422 6191179 | Fax +91
422 663-4104 | Threema / Threema Work: +914226764154 |
SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
Registered Office: Stuttgart, Registration Court:
Amtsgericht
Stuttgart, HRB 14000; Chairman of the Supervisory
Board: Franz
Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan
Asenkerschbaumer, Dr. Michael Bolle, Dr. Christian
Fischer, Dr.
Stefan Hartung, Dr. Markus Heyn, Harald Kröger,
Christoph Kübel,
Rolf Najork, Uwe Raschke, Peter Tyroller
-----Original Message-----
From: tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>
<tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>>
On Behalf Of
tycho-user-request@xxxxxxxxxxx
<mailto:tycho-user-request@xxxxxxxxxxx>
Sent: Wednesday, August 19, 2020 12:40 PM
To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Subject: tycho-user Digest, Vol 120, Issue 14
Send tycho-user mailing list submissions to
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To subscribe or unsubscribe via the World Wide Web,
visit
https://eur03.safelinks.protection.outlook.com/?url="">
or, via email, send a message with subject or body
'help' to
tycho-user-request@xxxxxxxxxxx
<mailto:tycho-user-request@xxxxxxxxxxx>
You can reach the person managing the list at
tycho-user-owner@xxxxxxxxxxx
<mailto:tycho-user-owner@xxxxxxxxxxx>
When replying, please edit your Subject line so it is
more specific
than "Re: Contents of tycho-user digest..."
Today's Topics:
1. Building Eclipse RCP via equinox director signs
the RCP
executable automatically (Sathish Kumar
Maheshwaran (RBEI/EMT1))
2. Re: Building Eclipse RCP via equinox director
signs the RCP
executable automatically (Sravan K Lakkimsetti)
3. Re: Building Eclipse RCP via equinox director
signs the RCP
executable automatically (Johan Compagner)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Aug 2020 05:51:11 +0000
From: "Sathish Kumar Maheshwaran (RBEI/EMT1)"
<SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
To: "tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>"
<tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: [tycho-user] Building Eclipse RCP via equinox
director signs
the RCP executable automatically
Message-ID: <bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx
<mailto:bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
Hello Users,
We are facing an issue while building an Eclipse RCP
in Eclipser
Version (V4.14) via tycho equinox p2 director plugin.
The RCP that is generated out of the materialize
products goal is
automatically signed by eclipse. This behavior does
not happen in
Eclipse Version (4.7) and is happening only in the
later versions.
Is there any tycho goal which we can add to disable
the signing
process for the executable. Thanks in advance.
Mit freundlichen Gr??en / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049
Stuttgart | GERMANY |
http://www.bosch.com/
+914226764154 |
+SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx><mailto:SathishKumar.Maheswaran@in
<mailto:SathishKumar.Maheswaran@in>.
+bosch.com <http://bosch.com>>
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
Message: 2
Date: Wed, 19 Aug 2020 06:04:16 +0000
From: "Sravan K Lakkimsetti" <sravankumarl@xxxxxxxxxx
<mailto:sravankumarl@xxxxxxxxxx>>
To: "Tycho user list" <tycho-user@xxxxxxxxxxx
<mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: Re: [tycho-user] Building Eclipse RCP via
equinox director
signs the RCP executable automatically
Message-ID:
<OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
Hi,
I am not clear about this question.
We do sign executables for Windows and Mac. These are
already signed
and published in the platform repository. Tycho just
creates product
via materialize-products goal using platform/simrel
repositories.
Can you please elaborate on the OS you are targeting
and the problem
you are facing?
Thanks
Sravan
From: Sathish Kumar Maheshwaran (RBEI/EMT1)
<SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
Sent: 19 August 2020 11:22
To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Cc: Narayana Swamy Ramesh (RBEI/EMT1)
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: [EXTERNAL] [tycho-user] Building Eclipse RCP
via equinox
director signs the RCP executable automatically
Hello Users,
We are facing an issue while building an Eclipse RCP
in Eclipser
Version (V4.14) via tycho equinox p2 director plugin.
The RCP that is generated out of the materialize
products goal is
automatically signed by eclipse. This behavior does
not happen in
Eclipse Version (4.7) and is happening only in the
later versions.
Is there any tycho goal which we can add to disable
the signing
process for the executable. Thanks in advance.
Mit freundlichen Gr??en / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049
Stuttgart | GERMANY |
http://www.bosch.com/
+914226764154 | <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
+SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
Message: 3
Date: Wed, 19 Aug 2020 09:09:06 +0200
From: Johan Compagner <jcompagner@xxxxxxxxxx
<mailto:jcompagner@xxxxxxxxxx>>
To: Tycho user list <tycho-user@xxxxxxxxxxx
<mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: Re: [tycho-user] Building Eclipse RCP via
equinox director
signs the RCP executable automatically
Message-ID:
<CADcYmTKmL1EHrSk4+C_j+T1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx
<mailto:CADcYmTKmL1EHrSk4%2BC_j%2BT1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
you can always sign it yourself if you want
https://eur03.safelinks.protection.outlook.com/?url="">
(from there are about 50 lines down)
then it is double signed..
On Wed, 19 Aug 2020 at 08:04, Sravan K Lakkimsetti
<sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>>
wrote:
> Hi,
>
>
>
> I am not clear about this question.
>
>
>
> We do sign executables for Windows and Mac.
These are already signed
> and published in the platform repository. Tycho
just creates product
> via materialize-products goal using
platform/simrel repositories.
>
> Can you please elaborate on the OS you are
targeting and the problem
> you are facing?
>
>
>
> Thanks
>
> Sravan
>
>
>
> *From:* Sathish Kumar Maheshwaran (RBEI/EMT1)
<
> SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
> *Sent:* 19 August 2020 11:22
> *To:* tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> *Cc:* Narayana Swamy Ramesh (RBEI/EMT1)
> <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>
> >
> *Subject:* [EXTERNAL] [tycho-user] Building
Eclipse RCP via equinox
> director signs the RCP executable automatically
>
>
>
> Hello Users,
>
>
>
> We are facing an issue while building an Eclipse
RCP in Eclipser
> Version
> (V4.14) via tycho equinox p2 director plugin.
>
>
>
> The RCP that is generated out of the materialize
products goal is
> automatically signed by eclipse. This behavior
does not happen in
> Eclipse Version (4.7) and is happening only in
the later versions.
>
>
>
> Is there any tycho goal which we can add to
disable the signing
> process for the executable. Thanks in advance.
>
>
>
>
>
> Mit freundlichen Gr??en / Best regards
>
> *Maheshwaran Sathish Kumar*
>
> AUTOSAR MSR editors (RBEI/EMT1)
> Robert Bosch GmbH | Postfach 10 60 50 | 70049
Stuttgart | GERMANY |
> http://www.bosch.com/
> +914226764154 | SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
>
> ?
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> To unsubscribe from this list, visit
>
https://eur03.safelinks.protection.outlook.com/?url="">.
> eclipse.org
<http://eclipse.org>%2Fmailman%2Flistinfo%2Ftycho-user&data="">
> shkumar.maheswaran%40in.bosch.com
<http://40in.bosch.com>%7Cf0a899694be540cf77fa08d8440ee26e%7
>
C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637334178002734038&sda
>
ta=QgCyhpn2f8ri4%2BGQu2TOdOiQWf2tw4oqI%2BieZCC3aI4%3D&reserved=0
>
--
Johan Compagner
Servoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To change your delivery options, retrieve your
password, or
unsubscribe from this list, visit
https://eur03.safelinks.protection.outlook.com/?url="">
End of tycho-user Digest, Vol 120, Issue 14
*******************************************
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user