Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?


I wonder if tucho could help with this?

We extract plugins/jars from everywhere, build also our own p2 repo for stuff we can't find in eclipse or orbit dumps

Problem is that many or all of the jars in maven central are not signed
now is generating a p2 site from maven sources/pom (category,xml and so on) relatively easy
But i wonder if at that stage (i guess the tycho-p2-plugin ?)
could just have an intermediate step that just signed (or resigns) all the jars that it puts into the p2 repo

Or not even doing it there but when it creates a product build (tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars that are not signed or not valid anymore are resigned with a given keystore?

when installing our product a user doesn't really notice, but when updating he gets a list of jars that are not trusted/unsigned. Those are all ofcourse 3rd party stuff mostly coming from maven..

Johan Compagner

Back to the top