[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
|
I think the best would be to sign the jars in the plugin directory using
some kind of post-processing scrip before uploading them.
Am 06.01.21 um 09:53 schrieb Johan Compagner:
thx,
i will have a look, i guess the problem is that it needs a service and
doesn't use just the configured stuff that maven-jarsigner-plugin
already just uses (and i guess also tycho here and there)
And i can't use that service because i am running my own jenkins so to
use that i kind of need to rebuild that service, which would mean i need
to know thow that rest services should behave.
On Wed, 6 Jan 2021 at 06:27, Sravan K Lakkimsetti
<sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>> wrote:
Hi,____
__ __
At Eclipse Platform we use eclipse-jar-signer plugin to do the task
you mentioned. Please take a look at
https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7
<https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7>
and
https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html
<https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html>
____
__ __
This uses a jar signer webservice to sign the jars. See
https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service
<https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service> on how
we use the webservice.____
__ __
Thanks____
Sravan____
__ __
*From:*Johan Compagner <jcompagner@xxxxxxxxxx
<mailto:jcompagner@xxxxxxxxxx>>
*Sent:* 05 January 2021 21:40
*To:* Tycho user list <tycho-user@xxxxxxxxxxx
<mailto:tycho-user@xxxxxxxxxxx>>
*Subject:* [EXTERNAL] [tycho-user] would it be possible for tycho to
check the signing (and sign) all plugin jars that are put into the
product?____
__ __
____
Hi,____
__ __
I wonder if tucho could help with this?____
__ __
We extract plugins/jars from everywhere, build also our own p2 repo
for stuff we can't find in eclipse or orbit dumps____
__ __
Problem is that many or all of the jars in maven central are not
signed____
now is generating a p2 site from maven sources/pom (category,xml and
so on) relatively easy____
But i wonder if at that stage (i guess the tycho-p2-plugin ?)____
could just have an intermediate step that just signed (or resigns)
all the jars that it puts into the p2 repo____
__ __
Or not even doing it there but when it creates a product build
(tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars
that are not signed or not valid anymore are resigned with a given
keystore?____
__ __
when installing our product a user doesn't really notice, but when
updating he gets a list of jars that are not trusted/unsigned. Those
are all ofcourse 3rd party stuff mostly coming from maven..____
__ __
-- ____
Johan Compagner____
Servoy____
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
<https://www.eclipse.org/mailman/listinfo/tycho-user>
--
Johan Compagner
Servoy
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user