Hi Ed,
Actually we are signing thrice. Here is the step by step process for windows.
1. Build eclipse.exe and eclipsec.exe, sign them and commit to launcher binaries repo (signing for the first time) we use https://ci.eclipse.org/releng/job/Build-eclipse-launcher/ for this. You can see the executables in https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/tree/org.eclipse.equinox.executable/bin/win32/win32/x86_64
- During product build of rt.equinox.starterkit,
- Brand executables with new icon and names. This causes earlier signature to go corrupt. This is done in tycho-p2-publisher:publish-products goal
- Assemble repository using tycho-p2-repository-plugin:assemble-repository goal. At this stage repository will contain executables with corrupt signature
- Sign the executables(signing for the second time) in the repository using ant see https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n131
- Create product folder structure using tycho-p2-director-plugin:materialize-products goal
- Sign the executables(signing for the third time) in the product structure using eclipse-winsigner-plugin:sign goal (This step is not required but stayed on from earlier code)
- Create archives using tycho-p2-director-plugin:archive-products
We are using signing service from eclipse foundation to sign the executables. I haven’t looked in depth there, but I see only one signature on the signed executables.
I agree with you on command line tool eclipsec.exe. but with not many people are working on p2 it is difficult to get it fixed there.
I hope this helps
Thanks
Sravan
From: Ed Merks <ed.merks@xxxxxxxxx>
Sent: 27 August 2020 11:43
To: tycho-user@xxxxxxxxxxx
Subject: [EXTERNAL] Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14
Sravan,
What is the relationship between this part:
https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187
versus this part:
https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml#n187
One gets the impression that rt.exe is signed twice: once with ant and once with Tycho/CBI.
Also, it's been my experience that the eclipsec.exe, which is not renamed as part of branding, doesn't actually work because it doesn't find the branded *.ini. Others appear to have this experience as well.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=332714#c7
So when I redesigned the Oomph build to make better use of Tycho, I now rename the eclipsec.exe to eclipse-instc.exe (using exec-maven-plugin to run bash) and sign that with Tycho/CBI. (It would seem better if p2 actually did this properly but it just copies eclipsec.exe and that's just garbage/noise when the executable has a branded name.)
If the executables that are copied (materialized) to the product are already signed (where exactly do those come from?), do you know if signing them again removes the old signature or just adds a new signature? Looking at the properties, I only see one signature on eclipse-inst.exe and eclipse-instc.exe. (The pom you point at is for the starterkit product, so that's not really the source of the launcher executables used by products I think.)
Regards,
Ed
On 27.08.2020 07:07, Sravan K Lakkimsetti wrote:
Hi Ed,
We are signing equinox executables as well from 4.17 release. See https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/equinox.starterkit.product/pom.xml
Thanks
Sravan
I am under the impression that the signing does happen while building a product assuming of course you have the pom.xml configured to do that. I see this in my logs:
[INFO] --- eclipse-winsigner-plugin:1.1.8-SNAPSHOT:sign (installer-executables) @ org.eclipse.oomph.setup.installer.product ---
[INFO] [Tue Aug 25 23:23:11 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:12 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:15 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:18 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:21 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.restricted/win32/win32/x86_64/eclipse-instc.exe'
[INFO] [Tue Aug 25 23:23:24 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-inst.exe'
[INFO] [Tue Aug 25 23:23:27 EDT 2020] Signing Windows executable '/jobs/genie.oomph/integration/workspace/git/products/org.eclipse.oomph.setup.installer.product/target/products/org.eclipse.oomph.setup.installer.product.with-jre.restricted/win32/win32/x86_64/eclipse-instc.exe'
I configure that like this:
<groupId>org.eclipse.cbi.maven.plugins</groupId>
<artifactId>eclipse-winsigner-plugin</artifactId>
<version>${jarsigner-version}</version>
<executions>
<execution>
<id>installer-executables</id>
<goals>
<goal>sign</goal>
</goals>
<phase>package</phase>
<configuration>
<fileNames>
<fileName>eclipse-instc.exe</fileName>
<fileName>eclipse-inst.exe</fileName>
</fileNames>
</configuration>
</execution>
The platform does such signing as well using this same approach.
I think the Equinox launcher executables are not already signed.
On 26.08.2020 12:54, Christoph Läubrich wrote:
The icon replacement takes place in P2, even though Tycho calls P2 here.
The only solution IMO would be if eclipse would publish a signed and an unsigned executable with different updatesite and/or features.
Another approach would be to remove the signature after the build and add a new one then.
Am 26.08.20 um 12:49 schrieb Martin Lippert:
Hey Michael,
in our case, when building a product with tycho that has custom branding, tycho will modify the windows executable to update the icons which are included in the executable.
So strictly speaking tycho modifies the executable as part of the build process (in this case) and leaves the old (now invalid) signature on the executable.
I might be missing a piece here, but that is at least what we experienced for our product builds for Windows.
Cheers
Martin
On Tue, Aug 25, 2020 at 9:00 AM Keppler Michael (ETAS/ESW-CI) <Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>> wrote:
Hi Ramesh,
Please make your process people aware that re-signing already signed
(and not modified) executables is wrong. I had a hard time doing
that in our department, since it enforced the same wrong policy, but
we managed to change it.
If you include some Visual Studio runtime redistributables from
Microsoft, you also don't re-sign all these included DLLs to
override the Microsoft signature with a Bosch signature, right? And
that's exactly the same for the eclipse executable.
Signatures are for expressing the origin of some executable, and the
eclipse.exe is not created by Bosch. Signatures are NOT meant to
say, that Bosch has approved/scanned for viruses or whatever else.
Mit freundlichen Grüßen / Best regards
Michael Keppler
LTO Release Engineering (ETAS/ESW-CI)
Tel. +49 711 3423-2429 | Fax +49 711 89661-0 |
Michael.Keppler@xxxxxxxx <mailto:Michael.Keppler@xxxxxxxx>
-----Ursprüngliche Nachricht-----
Von: tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>
<tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>> Im Auftrag von Sathish
Kumar Maheshwaran (RBEI/EMT1)
Gesendet: Mittwoch, 19. August 2020 09:18
An: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Cc: Narayana Swamy Ramesh (RBEI/EMT1)
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Betreff: Re: [tycho-user] tycho-user Digest, Vol 120, Issue 14
Thank you for the quick responses.
Let me elaborate on the problem we are facing.
Our problem is we do not want eclipse to sign the executable. With
earlier version of eclipse (V4.8) the executable generated out of
the materialized products did not have a signature from Eclipse.
But when we try building using eclipse (V4.14) the executable
generated has a signature from Eclipse.
We have our own product team which applies our company's signature
on the EXE. Since the executable is already signed by Eclipse our
signing process fails.
So we are looking at a goal or a setting in tycho which will
instruct the p2 director plugin to skip the eclipse signing process.
We have raised an Eclipse bug regarding that here:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=565937
We have also posted our question in stack overflow :
https://stackoverflow.com/questions/63326750/remove-digital-signature-from-generated-rcps-exe
Mit freundlichen Grüßen / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
www.bosch.com <http://www.bosch.com> Tel. +91 422 6191179 | Fax +91
422 663-4104 | Threema / Threema Work: +914226764154 |
SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
Registered Office: Stuttgart, Registration Court: Amtsgericht
Stuttgart, HRB 14000; Chairman of the Supervisory Board: Franz
Fehrenbach; Managing Directors: Dr. Volkmar Denner, Prof. Dr. Stefan
Asenkerschbaumer, Dr. Michael Bolle, Dr. Christian Fischer, Dr.
Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Christoph Kübel,
Rolf Najork, Uwe Raschke, Peter Tyroller
-----Original Message-----
From: tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>
<tycho-user-bounces@xxxxxxxxxxx
<mailto:tycho-user-bounces@xxxxxxxxxxx>> On Behalf Of
tycho-user-request@xxxxxxxxxxx <mailto:tycho-user-request@xxxxxxxxxxx>
Sent: Wednesday, August 19, 2020 12:40 PM
To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Subject: tycho-user Digest, Vol 120, Issue 14
Send tycho-user mailing list submissions to
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To subscribe or unsubscribe via the World Wide Web, visit
https://eur03.safelinks.protection.outlook.com/?url="">
or, via email, send a message with subject or body 'help' to
tycho-user-request@xxxxxxxxxxx <mailto:tycho-user-request@xxxxxxxxxxx>
You can reach the person managing the list at
tycho-user-owner@xxxxxxxxxxx <mailto:tycho-user-owner@xxxxxxxxxxx>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tycho-user digest..."
Today's Topics:
1. Building Eclipse RCP via equinox director signs the RCP
executable automatically (Sathish Kumar Maheshwaran (RBEI/EMT1))
2. Re: Building Eclipse RCP via equinox director signs the RCP
executable automatically (Sravan K Lakkimsetti)
3. Re: Building Eclipse RCP via equinox director signs the RCP
executable automatically (Johan Compagner)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Aug 2020 05:51:11 +0000
From: "Sathish Kumar Maheshwaran (RBEI/EMT1)"
<SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
To: "tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>"
<tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: [tycho-user] Building Eclipse RCP via equinox director signs
the RCP executable automatically
Message-ID: <bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx
<mailto:bd9df1445f26426797c3d7b71252f862@xxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
Hello Users,
We are facing an issue while building an Eclipse RCP in Eclipser
Version (V4.14) via tycho equinox p2 director plugin.
The RCP that is generated out of the materialize products goal is
automatically signed by eclipse. This behavior does not happen in
Eclipse Version (4.7) and is happening only in the later versions.
Is there any tycho goal which we can add to disable the signing
process for the executable. Thanks in advance.
Mit freundlichen Gr??en / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
http://www.bosch.com/
+914226764154 |
+SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx><mailto:SathishKumar.Maheswaran@in
<mailto:SathishKumar.Maheswaran@in>.
+bosch.com <http://bosch.com>>
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
Message: 2
Date: Wed, 19 Aug 2020 06:04:16 +0000
From: "Sravan K Lakkimsetti" <sravankumarl@xxxxxxxxxx
<mailto:sravankumarl@xxxxxxxxxx>>
To: "Tycho user list" <tycho-user@xxxxxxxxxxx
<mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: Re: [tycho-user] Building Eclipse RCP via equinox director
signs the RCP executable automatically
Message-ID:
<OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:OF7BA5F740.29FA2385-ON002585C9.00215944-1597817055953@xxxxxxxxxxxxxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
Hi,
I am not clear about this question.
We do sign executables for Windows and Mac. These are already signed
and published in the platform repository. Tycho just creates product
via materialize-products goal using platform/simrel repositories.
Can you please elaborate on the OS you are targeting and the problem
you are facing?
Thanks
Sravan
From: Sathish Kumar Maheshwaran (RBEI/EMT1)
<SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
Sent: 19 August 2020 11:22
To: tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
Cc: Narayana Swamy Ramesh (RBEI/EMT1)
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: [EXTERNAL] [tycho-user] Building Eclipse RCP via equinox
director signs the RCP executable automatically
Hello Users,
We are facing an issue while building an Eclipse RCP in Eclipser
Version (V4.14) via tycho equinox p2 director plugin.
The RCP that is generated out of the materialize products goal is
automatically signed by eclipse. This behavior does not happen in
Eclipse Version (4.7) and is happening only in the later versions.
Is there any tycho goal which we can add to disable the signing
process for the executable. Thanks in advance.
Mit freundlichen Gr??en / Best regards
Maheshwaran Sathish Kumar
AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
http://www.bosch.com/
+914226764154 | <mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
+SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
Message: 3
Date: Wed, 19 Aug 2020 09:09:06 +0200
From: Johan Compagner <jcompagner@xxxxxxxxxx
<mailto:jcompagner@xxxxxxxxxx>>
To: Tycho user list <tycho-user@xxxxxxxxxxx
<mailto:tycho-user@xxxxxxxxxxx>>
Cc: "Narayana Swamy Ramesh \(RBEI/EMT1\)"
<Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>>
Subject: Re: [tycho-user] Building Eclipse RCP via equinox director
signs the RCP executable automatically
Message-ID:
<CADcYmTKmL1EHrSk4+C_j+T1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx
<mailto:CADcYmTKmL1EHrSk4%2BC_j%2BT1cjBnoGvhDqvbWMwP01yApktYfnw@xxxxxxxxxxxxxx>>
Content-Type: text/plain; charset="utf-8"
you can always sign it yourself if you want
https://eur03.safelinks.protection.outlook.com/?url="">
(from there are about 50 lines down)
then it is double signed..
On Wed, 19 Aug 2020 at 08:04, Sravan K Lakkimsetti
<sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>>
wrote:
> Hi,
>
>
>
> I am not clear about this question.
>
>
>
> We do sign executables for Windows and Mac. These are already signed
> and published in the platform repository. Tycho just creates product
> via materialize-products goal using platform/simrel repositories.
>
> Can you please elaborate on the OS you are targeting and the problem
> you are facing?
>
>
>
> Thanks
>
> Sravan
>
>
>
> *From:* Sathish Kumar Maheshwaran (RBEI/EMT1) <
> SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>>
> *Sent:* 19 August 2020 11:22
> *To:* tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> *Cc:* Narayana Swamy Ramesh (RBEI/EMT1)
> <Ramesh.NarayanaSwamy@xxxxxxxxxxxx
<mailto:Ramesh.NarayanaSwamy@xxxxxxxxxxxx>
> >
> *Subject:* [EXTERNAL] [tycho-user] Building Eclipse RCP via equinox
> director signs the RCP executable automatically
>
>
>
> Hello Users,
>
>
>
> We are facing an issue while building an Eclipse RCP in Eclipser
> Version
> (V4.14) via tycho equinox p2 director plugin.
>
>
>
> The RCP that is generated out of the materialize products goal is
> automatically signed by eclipse. This behavior does not happen in
> Eclipse Version (4.7) and is happening only in the later versions.
>
>
>
> Is there any tycho goal which we can add to disable the signing
> process for the executable. Thanks in advance.
>
>
>
>
>
> Mit freundlichen Gr??en / Best regards
>
> *Maheshwaran Sathish Kumar*
>
> AUTOSAR MSR editors (RBEI/EMT1)
> Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
> http://www.bosch.com/
> +914226764154 | SathishKumar.Maheswaran@xxxxxxxxxxxx
<mailto:SathishKumar.Maheswaran@xxxxxxxxxxxx>
>
> ?
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> To unsubscribe from this list, visit
>
https://eur03.safelinks.protection.outlook.com/?url="">.
> eclipse.org
<http://eclipse.org>%2Fmailman%2Flistinfo%2Ftycho-user&data=""> > shkumar.maheswaran%40in.bosch.com
<http://40in.bosch.com>%7Cf0a899694be540cf77fa08d8440ee26e%7
>
C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637334178002734038&sda
> ta=QgCyhpn2f8ri4%2BGQu2TOdOiQWf2tw4oqI%2BieZCC3aI4%3D&reserved=0
>
--
Johan Compagner
Servoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://eur03.safelinks.protection.outlook.com/?url="">
------------------------------
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://eur03.safelinks.protection.outlook.com/?url="">
End of tycho-user Digest, Vol 120, Issue 14
*******************************************
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user