Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14

Sravan,

What is the relationship between this part:

https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187

versus this part:

https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187

One gets the impression that rt.exe is signed twice: once with ant and once with Tycho/CBI.

Also, it's been my experience that the eclipsec.exe, which is not renamed as part of branding, doesn't actually work because it doesn't find the branded *.ini.   Others appear to have this experience as well.

  https://bugs.eclipse.org/bugs/show_bug.cgi?id=332714#c7

So when I redesigned the Oomph build to make better use of Tycho, I now rename the eclipsec.exe to eclipse-instc.exe (using exec-maven-plugin to run bash) and sign that with Tycho/CBI.  (It would seem better if p2 actually did this properly but it just copies eclipsec.exe and that's just garbage/noise when the executable has a branded name.)

If the executables that are copied (materialized) to the product are already signed (where exactly do those come from?), do you know if signing them again removes the old signature or just adds a new signature?  Looking at the properties, I only see one signature on eclipse-inst.exe and eclipse-instc.exe.    (The pom you point at is for the starterkit product, so that's not really the source of the launcher executables used by products I think.)

Regards,
Ed

On 27.08.2020 07:07, Sravan K Lakkimsetti wrote:

Hi Ed,

 

We are signing equinox executables as well from 4.17 release. See https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml

 

Thanks

Sravan

 

From: Ed Merks <ed.merks@xxxxxxxxx>
Sent: 26 August 2020 18:09
To: tycho-user@xxxxxxxxxxx
Subject: [EXTERNAL] Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14

 

I am under the impression that the signing does happen while building a product assuming of course you have the pom.xml configured to do that.  I see this in my logs:

[INFO] --- eclipse-winsigner-plugin:1.1.8-SNAPSHOT:sign (installer-executables) @ org.eclipse.oomph.setup.installer.product ---
[INFO] [Tue Aug 25 23:23:11 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:12 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:18 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:21 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:24 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:27 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-instc.exe'

I configure that like this:

           <groupId>org.eclipse.cbi.maven.plugins</groupId>
            <artifactId>eclipse-winsigner-plugin</artifactId>
            <version>${jarsigner-version}</version>
            <executions>
              <execution>
                <id>installer-executables</id>
                <goals>
                  <goal>sign</goal>
                </goals>
                <phase>package</phase>
                <configuration>
                  <fileNames>
                    <fileName>eclipse-instc.exe</fileName>
                    <fileName>eclipse-inst.exe</fileName>
                  </fileNames>
                </configuration>
              </execution>

 

The platform does such signing as well using this same approach.

 

 

I think the Equinox launcher executables are not already signed.

 

 

On 26.08.2020 12:54, Christoph Läubrich wrote:

The icon replacement takes place in P2, even though Tycho calls P2 here.

The only solution IMO would be if eclipse would publish a signed and an unsigned executable with different updatesite and/or features.

Another approach would be to remove the signature after the build and add a new one then.

Am 26.08.20 um 12:49 schrieb Martin Lippert:

Hey Michael,

in our case, when building a product with tycho that has custom branding, tycho will modify the windows executable to update the icons which are included in the executable.
So strictly speaking tycho modifies the executable as part of the build process (in this case) and leaves the old (now invalid) signature on the executable.

I might be missing a piece here, but that is at least what we experienced for our product builds for Windows.

Cheers
Martin




On Tue, Aug 25, 2020 at 9:00 AM Keppler Michael (ETAS/ESW-CI) <Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>> wrote:

    Hi Ramesh,

    Please make your process people aware that re-signing already signed
    (and not modified) executables is wrong. I had a hard time doing
    that in our department, since it enforced the same wrong policy, but
    we managed to change it.
    If you include some Visual Studio runtime redistributables from
    Microsoft, you also don't re-sign all these included DLLs to
    override the Microsoft signature with a Bosch signature, right? And
    that's exactly the same for the eclipse executable.

    Signatures are for expressing the origin of some executable, and the
    eclipse.exe is not created by Bosch. Signatures are NOT meant to
    say, that Bosch has approved/scanned for viruses or whatever else.

    Mit freundlichen Grüßen / Best regards

    Michael Keppler

    LTO Release Engineering (ETAS/ESW-CI)
    Tel. +49 711 3423-2429 | Fax +49 711 89661-0 |
    Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>


    -----Ursprüngliche Nachricht-----
    Von: tycho-user-bounces@xxxxxxxxxxx
    <mailto:tycho-user-bounces@xxxxxxxxxxx>
    <tycho-user-bounces@xxxxxxxxxxx
    <mailto:tycho-user-bounces@xxxxxxxxxxx>> Im Auftrag von Sathish
    Kumar Maheshwaran (RBEI/EMT1)
    Gesendet: Mittwoch, 19. August 2020 09:18
    An: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    Cc: Narayana Swamy Ramesh (RBEI/EMT1)
    <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
    Betreff: Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14

    Thank you for the quick responses.

    Let me elaborate on the problem we are facing.

    Our problem is we do not want eclipse to sign the executable. With
    earlier version of eclipse (V4.8) the executable generated out of
    the materialized products did not have a signature from Eclipse.
    But when we try building using eclipse (V4.14) the executable
    generated has a signature from Eclipse.

    We have our own product team which applies our company's signature
    on the EXE. Since the executable is already signed by Eclipse our
    signing process fails.
    So we are looking at a goal or a setting in tycho which will
    instruct the p2 director plugin to skip the eclipse signing process.

    We have raised an Eclipse bug  regarding that here:
    https://bugs.eclipse.org/bugs/show_bug.cgi?id=565937

    We have also posted our question in stack overflow :
    https://stackoverflow.com/questions/63326750/remove-digital-signature-from-generated-rcps-exe


    Mit freundlichen Grüßen / Best regards

      Maheshwaran Sathish Kumar

    AUTOSAR   MSR editors (RBEI/EMT1)
    Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
    www.bosch.com <http://www.bosch.com> Tel. +91 422 6191179 | Fax +91
    422 663-4104 | Threema / Threema Work: +914226764154 |
    SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>

    Registered Office: Stuttgart, Registration Court: Amtsgericht
    Stuttgart, HRB 14000; Chairman of the Supervisory Board: Franz
    Fehrenbach; Managing Directors: Dr. Volkmar Denner, Prof. Dr. Stefan
    Asenkerschbaumer, Dr. Michael Bolle, Dr. Christian Fischer, Dr.
    Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Christoph Kübel,
    Rolf Najork, Uwe Raschke, Peter Tyroller

    -----Original Message-----
    From: tycho-user-bounces@xxxxxxxxxxx
    <mailto:tycho-user-bounces@xxxxxxxxxxx>
    <tycho-user-bounces@xxxxxxxxxxx
    <mailto:tycho-user-bounces@xxxxxxxxxxx>> On Behalf Of
    tycho-user-request@xxxxxxxxxxx <mailto:tycho-user-request@xxxxxxxxxxx>
    Sent: Wednesday, August 19, 2020 12:40 PM
    To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    Subject: tycho-user Digest, Vol 120, Issue 14

    Send tycho-user mailing list submissions to
    tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>

    To subscribe or unsubscribe via the World Wide Web, visit
    https://eur03.safelinks.protection.outlook.com/?url="">
    or, via email, send a message with subject or body 'help' to
   
tycho-user-request@xxxxxxxxxxx <mailto:tycho-user-request@xxxxxxxxxxx>

    You can reach the person managing the list at
    tycho-user-owner@xxxxxxxxxxx <mailto:tycho-user-owner@xxxxxxxxxxx>

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of tycho-user digest..."


    Today's Topics:

        1. Building Eclipse RCP via equinox director signs the RCP
           executable automatically (Sathish Kumar Maheshwaran (RBEI/EMT1))
        2. Re: Building Eclipse RCP via equinox director signs the RCP
           executable automatically (Sravan K Lakkimsetti)
        3. Re: Building Eclipse RCP via equinox director signs the RCP
           executable automatically (Johan Compagner)


    ----------------------------------------------------------------------

    Message: 1
    Date: Wed, 19 Aug 2020 05:51:11 +0000
    From: "Sathish Kumar Maheshwaran (RBEI/EMT1)"
             <SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
    To: "tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>"
    <tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>>
    Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
             <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
    Subject: [tycho-user] Building Eclipse RCP via equinox director signs
             the RCP executable automatically
    Message-ID: <bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx
    <mailto:bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx>>
    Content-Type: text/plain; charset="utf-8"

    Hello Users,

    We are facing an issue while building an Eclipse RCP in Eclipser
    Version (V4.14)  via tycho equinox p2 director plugin.

    The RCP that is generated out of the materialize products goal is
    automatically signed by eclipse. This behavior does not happen in
    Eclipse Version (4.7) and is happening only in the later versions.

    Is there any tycho goal which we can add to disable the signing
    process for the executable. Thanks in advance.


    Mit freundlichen Gr??en / Best regards

    Maheshwaran Sathish Kumar

    AUTOSAR MSR editors (RBEI/EMT1)
    Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
    http://www.bosch.com/
    +914226764154 |
    +SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx><mailto:SathishKumar.Maheswaran@in
    <mailto:SathishKumar.Maheswaran@in>.
    +bosch.com <http://bosch.com>>

    ?
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL:
    <https://eur03.safelinks.protection.outlook.com/?url="">

    ------------------------------

    Message: 2
    Date: Wed, 19 Aug 2020 06:04:16 +0000
    From: "Sravan K Lakkimsetti" <
sravankumarl@xxxxxxxxxx
    <mailto:sravankumarl@xxxxxxxxxx>>
    To: "Tycho user list" <tycho-user@xxxxxxxxxxx
    <mailto:tycho-user@xxxxxxxxxxx>>
    Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
             <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
    Subject: Re: [tycho-user] Building Eclipse RCP via equinox director
             signs the RCP executable automatically
    Message-ID:
                <OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx>>

    Content-Type: text/plain; charset="utf-8"

    Hi,



    I am not clear about this question.



    We do sign executables for Windows and Mac. These are already signed
    and published in the platform repository. Tycho just creates product
    via materialize-products goal using platform/simrel repositories.

    Can you please elaborate on the OS you are targeting and the problem
    you are facing?



    Thanks

    Sravan



    From: Sathish Kumar Maheshwaran (RBEI/EMT1)
    <SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
    Sent: 19 August 2020 11:22
    To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    Cc: Narayana Swamy Ramesh (RBEI/EMT1)
    <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
    Subject: [EXTERNAL] [tycho-user] Building Eclipse RCP via equinox
    director signs the RCP executable automatically



    Hello Users,



    We are facing an issue while building an Eclipse RCP in Eclipser
    Version (V4.14)  via tycho equinox p2 director plugin.



    The RCP that is generated out of the materialize products goal is
    automatically signed by eclipse. This behavior does not happen in
    Eclipse Version (4.7) and is happening only in the later versions.



    Is there any tycho goal which we can add to disable the signing
    process for the executable. Thanks in advance.





    Mit freundlichen Gr??en / Best regards

    Maheshwaran Sathish Kumar

    AUTOSAR MSR editors (RBEI/EMT1)
    Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
    http://www.bosch.com/
    +914226764154 |  <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
    +SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>

    ?


    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL:
    <https://eur03.safelinks.protection.outlook.com/?url="">

    ------------------------------

    Message: 3
    Date: Wed, 19 Aug 2020 09:09:06 +0200
    From: Johan Compagner <
jcompagner@xxxxxxxxxx
    <mailto:jcompagner@xxxxxxxxxx>>
    To: Tycho user list <tycho-user@xxxxxxxxxxx
    <mailto:tycho-user@xxxxxxxxxxx>>
    Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
             <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
    Subject: Re: [tycho-user] Building Eclipse RCP via equinox director
             signs the RCP executable automatically
    Message-ID:
                <CADcYmTKmL1EHrSk4+C_j+T1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx
    <mailto:CADcYmTKmL1EHrSk4%2BC_j%2BT1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx>>
    Content-Type: text/plain; charset="utf-8"

    you can always sign it yourself if you want

    https://eur03.safelinks.protection.outlook.com/?url="">

    (from there are about 50 lines down)

    then it is double signed..


    On Wed, 19 Aug 2020 at 08:04, Sravan K Lakkimsetti
    <
sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>>
    wrote:

     > Hi,
     >
     >
     >
     > I am not clear about this question.
     >
     >
     >
     > We do sign executables for Windows and Mac. These are already signed
     > and published in the platform repository. Tycho just creates product
     > via materialize-products goal using platform/simrel repositories.
     >
     > Can you please elaborate on the OS you are targeting and the problem
     > you are facing?
     >
     >
     >
     > Thanks
     >
     > Sravan
     >
     >
     >
     > *From:* Sathish Kumar Maheshwaran (RBEI/EMT1) <
     > SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
     > *Sent:* 19 August 2020 11:22
     > *To:* tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
     > *Cc:* Narayana Swamy Ramesh (RBEI/EMT1)
     > <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
    <mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>
     > >
     > *Subject:* [EXTERNAL] [tycho-user] Building Eclipse RCP via equinox
     > director signs the RCP executable automatically
     >
     >
     >
     > Hello Users,
     >
     >
     >
     > We are facing an issue while building an Eclipse RCP in Eclipser
     > Version
     > (V4.14)  via tycho equinox p2 director plugin.
     >
     >
     >
     > The RCP that is generated out of the materialize products goal is
     > automatically signed by eclipse. This behavior does not happen in
     > Eclipse Version (4.7) and is happening only in the later versions.
     >
     >
     >
     > Is there any tycho goal which we can add to disable the signing
     > process for the executable. Thanks in advance.
     >
     >
     >
     >
     >
     > Mit freundlichen Gr??en / Best regards
     >
     > *Maheshwaran Sathish Kumar*
     >
     > AUTOSAR MSR editors (RBEI/EMT1)
     > Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
     > http://www.bosch.com/
     > +914226764154 | SathishKumar.Maheswaran@xxxxxxxxxxxx
    <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
     >
     > ?
     >
     > _______________________________________________
     > tycho-user mailing list
     > tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
     > To unsubscribe from this list, visit
     >
    https://eur03.safelinks.protection.outlook.com/?url="">.
     > eclipse.org
   
<http://eclipse.org>%2Fmailman%2Flistinfo%2Ftycho-user&amp;data="">      > shkumar.maheswaran%40in.bosch.com
    <http://40in.bosch.com>%7Cf0a899694be540cf77fa08d8440ee26e%7
     >
    C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637334178002734038&amp;sda
     > ta=QgCyhpn2f8ri4%2BGQu2TOdOiQWf2tw4oqI%2BieZCC3aI4%3D&amp;reserved=0
     >


    --
    Johan Compagner
    Servoy
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL:
    <https://eur03.safelinks.protection.outlook.com/?url="">

    ------------------------------

    _______________________________________________
    tycho-user mailing list
   
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    To change your delivery options, retrieve your password, or
    unsubscribe from this list, visit
    https://eur03.safelinks.protection.outlook.com/?url="">

    End of tycho-user Digest, Vol 120, Issue 14
    *******************************************
    _______________________________________________
    tycho-user mailing list
   
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/tycho-user
    _______________________________________________
    tycho-user mailing list
    tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/tycho-user


_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user



_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

Back to the top