Re: [cbi-dev] Maven Windows Signing Plugin for Eclipse

[John Arthorne <John_Arthorne@xxxxxxxxxx>]

It seems similar to the jar signing problem.
The artifact to be signed is generally something that is produced during
the build. So really it needs to be done as a step at the end of the build
rather than at the beginning. The platform executable is the rare exception
where the branded executable is in our source tree. For everyone else,
the executable will be transformed during the build to insert the icon
for the given product being built. Since the most common case is that the
executable is altered during the Tycho build, the signing needs to come
in after that. Even in the platform build I wouldn't want to bake in the
assumption that the executable won't be altered in some way during the
product build.

I imagine the executable signing service
being much like the current jar signing service. It would be a very simple
process where the branded, unsigned executable is passed in, and the signed
executable comes out. Where it comes from and what happens to the result
wouldn't be the signing service's concern.

I guess the tricky part is that you
need to support the case of standalone builds run by third parties that
won't have access to the signing service, as well as builds done within
the build.eclipse.org and LTS forges where signing is available. That same
problem exists with the jar signing, so hopefully whatever technique was
used there could be used here too (can't remember if it was a profile or
system property).


John



From:      
 Thanh Ha <thanh.ha@xxxxxxxxxxx>
To:      
 Common-build Developers
discussion <cbi-dev@xxxxxxxxxxx>, 
Date:      
 04/30/2013 09:57 AM
Subject:    
   [cbi-dev] Maven
Windows Signing Plugin for Eclipse
Sent by:    
   cbi-dev-bounces@xxxxxxxxxxx

---

Hi Everyone,

We have some students working on creating a winsigner maven plugin [1]
to take advantage of the new windows signing service we setup at the foundation
[2].

Ultimately we want to be able to sign the Eclipse Platform Windows exes
but I'm not sure how best to approach this problem.

On one hand we could design the winsigner to be very simplistic and simply
sign an exe in a single project so that it would work for executables outside
of the Eclipse Platform too. But in this case where would we put the signed
executables so that CBI Platform build can get them? do we stuff it in
the rt.equinox.binaries repo too just like the unsigned?

I'm not familiar with how the executables in rt.equinox.binaries are produced
and released into there so maybe understanding this would be useful.


Another thought I had is we could parse the root_configuration.zip files
Tycho produces (rcp.config project comes to mind [3]) find the windows
exes, push to the signing service, then repack them. But I think this method
would be too specific to one project.

Maybe we could even parse artifacts (jar, zip, tar.gz?) produced by Maven
/ Tycho and unpack/repack them after signing?


I hope someone can point us in the right direction here.


[1] https://bugs.eclipse.org/406157
[2] http://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service_.28Instant.29
[3] http://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/rcp.config


Thanh

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/cbi-dev