I wonder if tucho could help with this?
We extract plugins/jars from everywhere, build also our own p2 repo for stuff we can't find in eclipse or orbit dumps
Problem is that many or all of the jars in maven central are not signed
now is generating a p2 site from maven sources/pom (category,xml and so on) relatively easy
But i wonder if at that stage (i guess the tycho-p2-plugin ?)
could just have an intermediate step that just signed (or resigns) all the jars that it puts into the p2 repo
Or not even doing it there but when it creates a product build (tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars that are not signed or not valid anymore are resigned with a given keystore?
when installing our product a user doesn't really notice, but when updating he gets a list of jars that are not trusted/unsigned. Those are all ofcourse 3rd party stuff mostly coming from maven..