Re: [tycho-user] Signing jars and P2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Signing jars and P2

From: Igor Fedorenko <igor@xxxxxxxxxxxxxx>
Date: Sat, 03 Sep 2011 09:35:41 -0400
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1

Eclipse foundation certificate management approach is a bit
conservative, yes, but their reasoning is to protect the certificate
from "rogue" developers and compromised developer computers, which seems
reasonable, given they distributed and loosely controlled developer
audience. I am not security expert, however, so I don't know if there
are alternative less restrictive ways to manage signing certificates.

--
Regards,
Igor

On 11-09-03 9:15 AM, Benson Margulies wrote:

It is also possible to have solution specific to jarsigner plugin, which
I believe you suggest. This, however, will only work for one way of
singing jars and will not work for eclipse.org projects, for example,
which cannot use jarsigner plugin due to the way eclipse foundation
manages signing certificate(s).


It is beginning to look as if ASF may end up with a signing discipline
friendly to Tycho while Eclipse has none. Some might find this ironic.


--
Regards,
Igor

On 11-09-02 7:24 AM, Benson Margulies wrote:


I'm having a discussion at ASF about how we could set up a signature
infrastructure, and I was hoping that Igor or someone could help me
understand some parameters.

Is it really required to sign the jars 'in the middle of the process'?
If I left signing out of the picture, and made a P2 repository, can I
then sign all the jars in plugins and features and achieve the desired
result?

Quite aside from the ASF, this to me suggests a slightly hackish
alternative to the lifecycle problem: a new that is built by
inheriting from the implementation of the jarsigner plugin. It's only
purpose is to not be in the standard lifecycle, so that the tycho
lifecycle could put it in the right place.
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user


_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

References:
- [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Igor Fedorenko
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies

Prev by Date: Re: [tycho-user] Converting a P2 update-site into a maven repository
Next by Date: Re: [tycho-user] Converting a P2 update-site into a maven repository
Previous by thread: Re: [tycho-user] Signing jars and P2
Next by thread: Re: [tycho-user] Signing jars and P2
Index(es):
- Date
- Thread

Breadcrumbs