Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

You mean when the repo is generated and right before an upload to a site we sign it?
i think that will break the p2 stuff (artifects.xml or content.xml) because the hashes are then all wrong

Also this describes making just the p2 site. but if tycho would also just do it before making a product it then it would always be good, no matter where the stuff comes from.. (my own generated p2 site of maven jars or other 3rd party p2 sites that don't sign stuff that i dont control)

But to do any of those 2 correctly, i think tycho will always generate a full p2 site (where the product is build from) and before it generates the p2 site there should be a step that signs everything that it puts in there.
And that should i think be before the generation of the artifacts.xml or content.xml else the hashes of those files are just not the same anymore after signing..



On Wed, 6 Jan 2021 at 10:11, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
I think the best would be to sign the jars in the plugin directory using
some kind of post-processing scrip before uploading them.

Am 06.01.21 um 09:53 schrieb Johan Compagner:
> thx,
>
> i will have a look, i guess the problem is that it needs a service and
> doesn't use just the configured stuff that maven-jarsigner-plugin
> already just uses (and i guess also tycho here and there)
>
> And i can't use that service because i am running my own jenkins so to
> use that i kind of need to rebuild that service, which would mean i need
> to know thow that rest services should behave.
>
>
> On Wed, 6 Jan 2021 at 06:27, Sravan K Lakkimsetti
> <sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>> wrote:
>
>     Hi,____
>
>     __ __
>
>     At Eclipse Platform we use eclipse-jar-signer plugin to do the task
>     you mentioned. Please take a look at
>     https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7
>     <https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7>
>     and
>     https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html
>     <https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html>
>     ____
>
>     __ __
>
>     This uses a jar signer webservice to sign the jars. See
>     https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service
>     <https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service> on how
>     we use the webservice.____
>
>     __ __
>
>     Thanks____
>
>     Sravan____
>
>     __ __
>
>     *From:*Johan Compagner <jcompagner@xxxxxxxxxx
>     <mailto:jcompagner@xxxxxxxxxx>>
>     *Sent:* 05 January 2021 21:40
>     *To:* Tycho user list <tycho-user@xxxxxxxxxxx
>     <mailto:tycho-user@xxxxxxxxxxx>>
>     *Subject:* [EXTERNAL] [tycho-user] would it be possible for tycho to
>     check the signing (and sign) all plugin jars that are put into the
>     product?____
>
>     __ __
>
>     ____
>
>     Hi,____
>
>     __ __
>
>     I wonder if tucho could help with this?____
>
>     __ __
>
>     We extract plugins/jars from everywhere, build also our own p2 repo
>     for stuff we can't find in eclipse or orbit dumps____
>
>     __ __
>
>     Problem is that many or all of the jars in maven central are not
>     signed____
>
>     now is generating a p2 site from maven sources/pom (category,xml and
>     so on) relatively easy____
>
>     But i wonder if at that stage (i guess the tycho-p2-plugin ?)____
>
>     could just have an intermediate step that just signed (or resigns)
>     all the jars that it puts into the p2 repo____
>
>     __ __
>
>     Or not even doing it there but when it creates a product build
>     (tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars
>     that are not signed or not valid anymore are resigned with a given
>     keystore?____
>
>     __ __
>
>     when installing our product a user doesn't really notice, but when
>     updating he gets a list of jars that are not trusted/unsigned. Those
>     are all ofcourse 3rd party stuff mostly coming from maven..____
>
>     __ __
>
>     -- ____
>
>     Johan Compagner____
>
>     Servoy____
>
>
>     _______________________________________________
>     tycho-user mailing list
>     tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
>     To unsubscribe from this list, visit
>     https://www.eclipse.org/mailman/listinfo/tycho-user
>     <https://www.eclipse.org/mailman/listinfo/tycho-user>
>
>
>
> --
> Johan Compagner
> Servoy
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
>
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user


--
Johan Compagner
Servoy

Back to the top