Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds

On Thu, Jan 21, 2021 at 3:52 PM Wim Jongman <wim.jongman@xxxxxxxxx> wrote:
I mean, does it matter if the wrapper is not signed as long as the wrapped jar is signed?

It mostly depends on the requirement on the consumer side. For most technologies, no-one seems to care about signatures inside jars; SimRel does.

> I would like to have a chance of discovering if someone tampered artifacts on my machine *after* installation. Checksums help with installation but not after installation.

This is IMO not the issue signing is about.
Checking the last modification date of the file is sufficient to know when an artifact has been tampered. Keeping checksums of baseline vs current can also help. For some previous company I was working on, a checksum was requested for all files under the plugins/ folder to verify whether artifacts were tampered compared to the provided set. No signing was involved.

Back to the top