[platform-releng-dev] A note about "signing" that requires your attentio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[platform-releng-dev] A note about "signing" that requires your attention and maybe action

From: David M Williams <david_williams@xxxxxxxxxx>
Date: Thu, 11 Jul 2013 16:38:02 -0400
Delivered-to: platform-releng-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/platform-releng-dev>
List-help: <mailto:platform-releng-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/platform-releng-dev>, <mailto:platform-releng-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/platform-releng-dev>, <mailto:platform-releng-dev-request@eclipse.org?subject=unsubscribe>

Thanh, et. al., have added two important functions for us to improve our "signing story": 1) We'll start to sign Windows and Mac executables! [1] 2) We will start to sign "inner jars" [2]. The second one is less "news worthy" (being required for only a few special cases) but it is the one that MIGHT require committers to make 1 or more changes.

Unlike the PDE builds, where we skipped signing "test bundles", with CBI builds we now (correctly) sign all bundles. BUT, some of the "test bundles" have embedded in them large jars consisting of "data" or "test cases". So, now, even those test bundle inner jars will get signed. Ordinarily, this should not hurt anything, but might add a few minutes to the build. So, if you have a test bundle, with lots (or large) "inner jars" then you might want to edit or add an eclipse.inf file saying to skip signing children. Especially if you see test failures caused by the signing (which itself might be interesting .... but, might not be, either).

If you don't have an eclipse.inf file, as a reminder it goes in META-INF directory:
META-INF/eclipse.inf
and should suffice to have one line:
jarprocessor.exclude.children=true

Second point, ordinarily we do not "sign" nightly builds, but I've temporarily changed that bit of logic in our production builds so that nightly builds will be signed (probably until next I-build) just to help flush out any problems or issues with these new signing functions. So a) keep you eye on nightly tests, so see if any new failures due to signed inner jars; and b) you might want to try out a Nightly to make sure the Windows and Mac versions "run" without any "gatekeepers" turned off. If everything works as planned, next week we'll resume to the "don't sign nightlies" settings to save a little wear and tear on the infrastructure.

And, just to complicate matters, for Nightlies, where qualifiers always change, we'd expect all "inner jars" to start getting signed tonight (with the temporary change in settings). But, for I and M builds, if you have a case where you WANT your inner jars signed you may have to "touch" the bundle to make sure its qualifier increases or else will be replaced during "comparator" operation by an "older bundle" without the inner jars signed.

Thanks,

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=388878
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=401141

Follow-Ups:
- Re: [platform-releng-dev] A note about "signing" that requires your attention and maybe action
  - From: Thomas Watson

Prev by Date: [platform-releng-dev] Off-line for 2 weeks
Next by Date: [platform-releng-dev] 4.4.0 N-Build: N20130711-2000
Previous by thread: [platform-releng-dev] Off-line for 2 weeks
Next by thread: Re: [platform-releng-dev] A note about "signing" that requires your attention and maybe action
Index(es):
- Date
- Thread

Breadcrumbs