Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

Hi,

 

At Eclipse Platform we use eclipse-jar-signer plugin to do the task you mentioned. Please take a look at https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7 and https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html

 

This uses a jar signer webservice to sign the jars. See https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service on how we use the webservice.

 

Thanks

Sravan

 

From: Johan Compagner <jcompagner@xxxxxxxxxx>
Sent: 05 January 2021 21:40
To: Tycho user list <tycho-user@xxxxxxxxxxx>
Subject: [EXTERNAL] [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

 

Hi,

 

I wonder if tucho could help with this?

 

We extract plugins/jars from everywhere, build also our own p2 repo for stuff we can't find in eclipse or orbit dumps

 

Problem is that many or all of the jars in maven central are not signed

now is generating a p2 site from maven sources/pom (category,xml and so on) relatively easy

But i wonder if at that stage (i guess the tycho-p2-plugin ?)

could just have an intermediate step that just signed (or resigns) all the jars that it puts into the p2 repo

 

Or not even doing it there but when it creates a product build (tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars that are not signed or not valid anymore are resigned with a given keystore?

 

when installing our product a user doesn't really notice, but when updating he gets a list of jars that are not trusted/unsigned. Those are all ofcourse 3rd party stuff mostly coming from maven..

 

--

Johan Compagner

Servoy



Back to the top