[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
|
Thats why I think its worth separating the concerns into two parts:
1) provide a hook so plugins can participate in the process of jars
being prepared to be placed inside a repository (I don't think the
download stage needs to be covered here as this might also applies for
plugins build in the reactor)
2) a plugin/mojo using this extension point and can be configured (maybe
just a thin wrapper around jar-signer-plugin) for signing a jar
This could then be reused by 3rdparty plugins, for example for some of
our products there is a licensing-dongle that is responsible to handle
encrypted jar files. Currently we do it that way that the product is
build and after that the resulting product is encrypted with the
customer key and repacked.
I could even think about a module that for example checks license
information of a jar before it is allowed to be placed inside a
product/updatesite ... we recently had this discussion on the mailinglist.
Am 06.01.21 um 14:16 schrieb Johan Compagner:
right that's what i mean
A "hook" that process the jar right after tycho downloads it or takes it
from local repo to be put into the the p2 site. So that in the end any
repository/p2 site that is created all have only really signed jar files
(then the question is should it just all resign or should it only resign
when the signing is not valid)
On Wed, 6 Jan 2021 at 14:04, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx
<mailto:laeubi@xxxxxxxxxxxxxx>> wrote:
I think the problem is there would be a need for some-kind of "hook" so
a plugin/mojo/whatever is capable of processing a jar before it is
copied into a product/updatesite.
I'm not a ware of such a feature yet in tycho, so maybe it would be
worth to open an enhancement request.
This could be useful anyways for other use case, e.g. one might want to
obfuscate, encrypt, whatever the content of a jar before it is placed
inside a product/updatesite...
Am 06.01.21 um 13:59 schrieb Johan Compagner:
> isn't the maven-jarsigner-plugin only used for plugins that you
build
> yourself?
> So the plugin projects with pom files that are compiled, built,
> repacked, and signed by tycho?
>
> But that's not what i talk about
>
> one example is this:
>
> servoy-eclipse/pom.xml at master · Servoy/servoy-eclipse
(github.com <http://github.com>)
>
<https://github.com/Servoy/servoy-eclipse/blob/master/shipplugins/pom.xml#L110
<https://github.com/Servoy/servoy-eclipse/blob/master/shipplugins/pom.xml#L110>>
>
> and
>
> then the category file: servoy-eclipse/category.xml at master ·
> Servoy/servoy-eclipse (github.com <http://github.com>)
>
<https://github.com/Servoy/servoy-eclipse/blob/master/shipplugins/category.xml
<https://github.com/Servoy/servoy-eclipse/blob/master/shipplugins/category.xml>>
>
> which makes a p2 site for us where the jars are coming from all
kinds of
> things (mostly from maven central)
>
> but those jars are for the most part not signed..
>
> So I end up with a generated repository with all kinds of jars
that are
> not signed.
>
> And this is a p2 site that i generate from all kinds of maven
central
> jars so we can build our product
> so our target file points to the above p2 site:
> servoy-eclipse/com.servoy.eclipse.target.target at master ·
> Servoy/servoy-eclipse (github.com <http://github.com>)
>
<https://github.com/Servoy/servoy-eclipse/blob/master/launch_targets/com.servoy.eclipse.target.target#L19
<https://github.com/Servoy/servoy-eclipse/blob/master/launch_targets/com.servoy.eclipse.target.target#L19>>
> (like orbit)
>
> But for example we also use chromium in our target file:
>
> servoy-eclipse/com.servoy.eclipse.target.target at master ·
> Servoy/servoy-eclipse (github.com <http://github.com>)
>
<https://github.com/Servoy/servoy-eclipse/blob/master/launch_targets/com.servoy.eclipse.target.target#L16
<https://github.com/Servoy/servoy-eclipse/blob/master/launch_targets/com.servoy.eclipse.target.target#L16>>
>
>
> but that 3rd party site has jars that are also not signed by the
maker
> of that site.
>
> So i like to when i build or product sign those jars that are
included
> in our full product/repo also just to be signed by our certificate
>
>
>
> On Wed, 6 Jan 2021 at 12:24, Mickael Istria <mistria@xxxxxxxxxx
<mailto:mistria@xxxxxxxxxx>
> <mailto:mistria@xxxxxxxxxx <mailto:mistria@xxxxxxxxxx>>> wrote:
>
> Can you please elaborate what specifically is preventing you from
> using the maven-jarsigner-plugin? I don't think there is a
> fundamental reason for this to not work, I imagine it can be
made to
> work.
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
<mailto:tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>>
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/tycho-user
<https://www.eclipse.org/mailman/listinfo/tycho-user>
> <https://www.eclipse.org/mailman/listinfo/tycho-user
<https://www.eclipse.org/mailman/listinfo/tycho-user>>
>
>
>
> --
> Johan Compagner
> Servoy
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
> To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
<https://www.eclipse.org/mailman/listinfo/tycho-user>
>
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx <mailto:tycho-user@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/tycho-user
<https://www.eclipse.org/mailman/listinfo/tycho-user>
--
Johan Compagner
Servoy
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
