Re: [tycho-user] Signing jars and P2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Signing jars and P2

From: Igor Fedorenko <igor@xxxxxxxxxxxxxx>
Date: Sat, 03 Sep 2011 09:09:39 -0400
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1

p2 metadata, namely artifacts.xml, contains md5 checksums of
corresponding artifacts. If checksums do not match, p2 rejects to
install. Currently, this metadata is generated by a mojo bound to Tycho
project default lifecycle package phase. jarsigner-plugin can only run
after metadata has been generated, thus invalidating the checksums and
making the artifacts unusable.

There are few possible solutions to this problem.

Currently, it is possible to re-run metadata generation after jarsigner
plugin. This is tedious to setup, but apparently works.

Another possibility is to redo how Tycho generates and consumes
artifacts.xml files. Fact is, Tycho does not really need this metadata
files for anything it does, so it is possible to skip their generation
altogether. This is not as simple as dropping metadata generation mojo
from the lifecycle, because Tycho will need to provide another
implementation to generate this metadata (but not the files). I believe
this is the best long-term solution, I just did not have time to work on it.

It is also possible to have solution specific to jarsigner plugin, which
I believe you suggest. This, however, will only work for one way of
singing jars and will not work for eclipse.org projects, for example,
which cannot use jarsigner plugin due to the way eclipse foundation
manages signing certificate(s).

--
Regards,
Igor

On 11-09-02 7:24 AM, Benson Margulies wrote:

I'm having a discussion at ASF about how we could set up a signature
infrastructure, and I was hoping that Igor or someone could help me
understand some parameters.

Is it really required to sign the jars 'in the middle of the process'?
If I left signing out of the picture, and made a P2 repository, can I
then sign all the jars in plugins and features and achieve the desired
result?

Quite aside from the ASF, this to me suggests a slightly hackish
alternative to the lifecycle problem: a new that is built by
inheriting from the implementation of the jarsigner plugin. It's only
purpose is to not be in the standard lifecycle, so that the tycho
lifecycle could put it in the right place.
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

Follow-Ups:
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies

References:
- [tycho-user] Signing jars and P2
  - From: Benson Margulies

Prev by Date: [tycho-user] Converting a P2 update-site into a maven repository
Next by Date: Re: [tycho-user] Signing jars and P2
Previous by thread: [tycho-user] Signing jars and P2
Next by thread: Re: [tycho-user] Signing jars and P2
Index(es):
- Date
- Thread

Breadcrumbs