Re: [tycho-user] would it be possible for tycho to check the signing (an

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

From: Johan Compagner <jcompagner@xxxxxxxxxx>
Date: Wed, 6 Jan 2021 15:38:35 +0100
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>

yes as far as i know all the apache stuff that are on maven (commons, dbcp) are not signed..

because who would do that? who can get there hands on those signing certificates?

not sure if apache has stuff for that in place (like eclipse does)

i think thats why eclipse has orbit right?

like: https://download.eclipse.org/tools/orbit/downloads/drops2/R20201130205003/repository/plugins/org.apache.commons.io_2.6.0.v20190123-2029.jar

which are all signed by eclipse,

i guess thats done by CBI tools that makes that orbit, (or is that done by hand by a person? download that commons io jar from maven central, sign it and then make the orbit dump....)

so orbit does fix it for us, but orbit is just a subset and a bit slow in updating stuff so not always an option.

thats why i would like that tycho does that for me

So we move the signing part from the plugin/jar compile/build part completely and move it to when the plugin/jar (Thats is build or that is from a 3rd party source) is used in a end "product"

that end product can ofcourse be a realy product but also just a p2 site itself.

But i guess if we would implement this in the correct location the product would be auto done because the product is build from a generated repository right?

On Wed, 6 Jan 2021 at 15:08, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:

> Have you tried contributing to upstream projects so they can get those
> artifacts signed?

Just keep in mind that there's a world outside eclipse and its often
undesirable for OS-projects to sign them either because one has to pay
for a certificate, its to difficult to mange one or there is simply no
organization that could hold as the certificate owner.

Am 06.01.21 um 15:05 schrieb Mickael Istria:
>
>
> On Wed, Jan 6, 2021 at 1:59 PM Johan Compagner <jcompagner@xxxxxxxxxx
> <mailto:jcompagner@xxxxxxxxxx>> wrote:
>
> isn't the maven-jarsigner-plugin only used for plugins that you
> build yourself?
> So the plugin projects with pom files that are compiled, built,
> repacked, and signed by tycho?
>
>
> That's right.
>
> which makes a p2 site for us where the jars are coming from all
> kinds of things (mostly from maven central)
>
>
> Have you tried contributing to upstream projects so they can get those
> artifacts signed?
> Or do you really need those 3rd party artifacts to be signed by your own
> certificate? In which case, then those become different artifacts, and
> you'd need to re-build or repackage them (ideally changing the
> Bundle-Vendor in MANIFEST to explicit it's not an "official" upstream
> artifact).
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
>
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

Johan Compagner

Servoy

Follow-Ups:
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Jonah Graham
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Mickael Istria

References:
- [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Johan Compagner
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Sravan K Lakkimsetti
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Johan Compagner
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Mickael Istria
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Johan Compagner
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Mickael Istria
- Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
  - From: Christoph Läubrich

Prev by Date: Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
Next by Date: Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
Previous by thread: Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
Next by thread: Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
Index(es):
- Date
- Thread

Breadcrumbs