Comment 1 Mickael Istria 2021-02-01 04:06:23 EST

As Platform already publishes some artifacts to Platform, I guess there is already a GPG certificate configured and this is "only" a matter of invoking `gpg sign`, copying the signature files together with the zips and showing them on the download page.
Or are there some other concern I'm missing?

Comment 2 Sravan Kumar Lakkimsetti 2021-02-01 06:08:58 EST

(In reply to Mickael Istria from comment #1)
> As Platform already publishes some artifacts to Platform, I guess there is
> already a GPG certificate configured and this is "only" a matter of invoking
> `gpg sign`, copying the signature files together with the zips and showing
> them on the download page.
> Or are there some other concern I'm missing?

the configuration is already there. but we are not doing GPG signing yet. I raised this to start work on creating GPG signatures.

Comment 3 Mickael Istria 2021-02-03 16:55:38 EST

I see 2 possible approaches:
1. just gpg sign the deployed/published products: this would most likely require to be done in a post-build script, similarly to copy to download.eclipse.org.
2. GPG sign all artifacts during Tycho build with http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html .  I hope this would signed the packaged products. That would sign much more than currently necessary by may be more generic and more useful on the long run. Then the signature files just need to be copied together with the binaries onto download.eclipe.org.