Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

but if that is a bit tricky to do
because making your own stuff is now done by us through at category,xml file (servoy-eclipse/category.xml at master · Servoy/servoy-eclipse (
and pom <packaging>eclipse-repository</packaging>

but those then extract the dependencies right away from maven
Its already nice that almost all jars are now build with the correct manifest so they are usable directly as bundles
but none of them are signed (as far as i know)
So thats then tricky and a lot of work, because how do i get in between that to sign them first?

I need to download them manually from the maven central, sign it
and then push it in a local mvn repo under our own grouping
upload that local mvn repo to a server (so everybody can build that same thing)
and use then our maven repo that has the signed artifacts under our name to generate that eclipse repository

thats a lot of copy steps and an intermediate maven repo, to get to a nice p2 site that is then usable..
somehow this should be easier....
Maybe i can write some script that does all that for me..

not to mention that this doesn't fix P2 sites with unsigned content..

On Wed, 6 Jan 2021 at 15:45, Mickael Istria <mistria@xxxxxxxxxx> wrote:

On Wed, Jan 6, 2021 at 3:39 PM Johan Compagner <jcompagner@xxxxxxxxxx> wrote:
But i guess if we would implement this in the correct location the product would be auto done because the product is build from a generated repository right?

Right. Signing after the fact is source of errors as you mentioned (brining incorrect checksums and so on), artifacts need to be signed as soon as they're produced.
At the moment, I believe your approach with building your own Orbit-like to repackage and apply a signature directly when producing those artifacts to consume them later is the best possible one. I don't foresee an obvious possible improvement to implement in Tycho in short-term to improve this story.
tycho-user mailing list
To unsubscribe from this list, visit

Johan Compagner

Back to the top