| Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product? |
I think the best would be to sign the jars in the plugin directory using
some kind of post-processing scrip before uploading them.
Am 06.01.21 um 09:53 schrieb Johan Compagner:
> thx,
>
> i will have a look, i guess the problem is that it needs a service and
> doesn't use just the configured stuff that maven-jarsigner-plugin
> already just uses (and i guess also tycho here and there)
>
> And i can't use that service because i am running my own jenkins so to
> use that i kind of need to rebuild that service, which would mean i need
> to know thow that rest services should behave.
>
>
> On Wed, 6 Jan 2021 at 06:27, Sravan K Lakkimsetti
> <sravankumarl@xxxxxxxxxx <mailto:sravankumarl@xxxxxxxxxx>> wrote:
>
> Hi,____
>
> __ __
>
> At Eclipse Platform we use eclipse-jar-signer plugin to do the task
> you mentioned. Please take a look at
> https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7
> <https://mvnrepository.com/artifact/org.eclipse.cbi.maven.plugins/eclipse-jarsigner-plugin/1.1.7>
> and
> https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html
> <https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html>
> ____
>
> __ __
>
> This uses a jar signer webservice to sign the jars. See
> https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service
> <https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service> on how
> we use the webservice.____
>
> __ __
>
> Thanks____
>
> Sravan____
>
> __ __
>
> *From:*Johan Compagner <jcompagner@xxxxxxxxxx
> <mailto:jcompagner@xxxxxxxxxx>>
> *Sent:* 05 January 2021 21:40
> *To:* Tycho user list <tycho-user@xxxxxxxxxxx
> <mailto:tycho-user@xxxxxxxxxxx>>
> *Subject:* [EXTERNAL] [tycho-user] would it be possible for tycho to
> check the signing (and sign) all plugin jars that are put into the
> product?____
>
> __ __
>
> ____
>
> Hi,____
>
> __ __
>
> I wonder if tucho could help with this?____
>
> __ __
>
> We extract plugins/jars from everywhere, build also our own p2 repo
> for stuff we can't find in eclipse or orbit dumps____
>
> __ __
>
> Problem is that many or all of the jars in maven central are not
> signed____
>
> now is generating a p2 site from maven sources/pom (category,xml and
> so on) relatively easy____
>
> But i wonder if at that stage (i guess the tycho-p2-plugin ?)____
>
> could just have an intermediate step that just signed (or resigns)
> all the jars that it puts into the p2 repo____
>
> __ __
>
> Or not even doing it there but when it creates a product build
> (tycho-p2-publisher-plugin or tycho-p2-director-plugin) all jars
> that are not signed or not valid anymore are resigned with a given
> keystore?____
>
> __ __
>
> when installing our product a user doesn't really notice, but when
> updating he gets a list of jars that are not trusted/unsigned. Those
> are all ofcourse 3rd party stuff mostly coming from maven..____
>
> __ __
>
> -- ____
>
> Johan Compagner____
>
> Servoy____
>
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/tycho-user
> <https://www.eclipse.org/mailman/listinfo/tycho-user>
>
>
>
> --
> Johan Compagner
> Servoy
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
>
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user