Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

On Wed, 2021-01-06 at 09:56 -0500, Jonah Graham wrote:
> Hi Johan,
> The Orbit has two cases:
> 1- Bundles are built with bndtools by Orbit as part of the build they
> are signed in the normal bundle signing way. The bundles don't have
> identical content to the maven central ones, differing in the
> manifest and legal "paperwork" in the bundles.
> 2- Orbit has some old bundles that Roland resigns on occasion, when
> he does that all the p2 metadata needs to be updated. It most
> recently happened for 2020-12 release. See Bug 553288 - the resigning
> happens with this orbit job
> ( but I don't
> know how the p2 metadata is repackaged. 

The reason the orbit-recipes process works for signing is because it
contains modules that simply download one or more set of artifacts and
re-packages them as a new artifact produced by the build. The modules
have a packaging type that eclipse-jarsigner-plugin recognizes and so
it signs all generated artifacts of that module.

If there were a way to download an artifact and attach it to some
module (as if it were generated, but not), then as long as eclipse-
jarsigner-plugin recognized the packaging of the module, it should sign
all the artifacts.

The approach from (2) would only work if you don't already generate a
p2 repository, since as you mention, the signing modifies the

Roland Grunberg

Back to the top