Community
Participate
Working Groups
the platform project produces 3 sets of products, 1. equinox, 2. SDK 3. platform We need to create GPG signatures for these artifacts for verification by end users.
As Platform already publishes some artifacts to Platform, I guess there is already a GPG certificate configured and this is "only" a matter of invoking `gpg sign`, copying the signature files together with the zips and showing them on the download page. Or are there some other concern I'm missing?
(In reply to Mickael Istria from comment #1) > As Platform already publishes some artifacts to Platform, I guess there is > already a GPG certificate configured and this is "only" a matter of invoking > `gpg sign`, copying the signature files together with the zips and showing > them on the download page. > Or are there some other concern I'm missing? the configuration is already there. but we are not doing GPG signing yet. I raised this to start work on creating GPG signatures.
I see 2 possible approaches: 1. just gpg sign the deployed/published products: this would most likely require to be done in a post-build script, similarly to copy to download.eclipse.org. 2. GPG sign all artifacts during Tycho build with http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html . I hope this would signed the packaged products. That would sign much more than currently necessary by may be more generic and more useful on the long run. Then the signature files just need to be copied together with the binaries onto download.eclipe.org.