Re: [tycho-user] Signing jars and P2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Signing jars and P2

From: Jason van Zyl <jason@xxxxxxxxx>
Date: Sat, 3 Sep 2011 09:44:51 -0400
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>

On Sep 3, 2011, at 9:15 AM, Benson Margulies wrote:

It is also possible to have solution specific to jarsigner plugin, which
I believe you suggest. This, however, will only work for one way of
singing jars and will not work for eclipse.org projects, for example,
which cannot use jarsigner plugin due to the way eclipse foundation
manages signing certificate(s).

It is beginning to look as if ASF may end up with a signing discipline
friendly to Tycho while Eclipse has none. Some might find this ironic.

What are you talking about? Do you even know how it works at Eclipse?

The signing of artifacts that go out as official releases at Eclipse must pass through a highly secured machine for signing, and it's the only mechanism by which something can be signed.

--
Regards,
Igor

On 11-09-02 7:24 AM, Benson Margulies wrote:

I'm having a discussion at ASF about how we could set up a signature
infrastructure, and I was hoping that Igor or someone could help me
understand some parameters.

Is it really required to sign the jars 'in the middle of the process'?
If I left signing out of the picture, and made a P2 repository, can I
then sign all the jars in plugins and features and achieve the desired
result?

Quite aside from the ASF, this to me suggests a slightly hackish
alternative to the lifecycle problem: a new that is built by
inheriting from the implementation of the jarsigner plugin. It's only
purpose is to not be in the standard lifecycle, so that the tycho
lifecycle could put it in the right place.
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

Thanks,

Jason

----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
http://twitter.com/jvanzyl
---------------------------------------------------------

You are never dedicated to something you have complete confidence in.
No one is fanatically shouting that the sun is going to rise tomorrow.
They know it is going to rise tomorrow. When people are fanatically
dedicated to political or religious faiths or any other kind of
dogmas or goals, it's always because these dogmas or
goals are in doubt.

-- Robert Pirzig, Zen and the Art of Motorcycle Maintenance

Follow-Ups:
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies

References:
- [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Igor Fedorenko
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies

Prev by Date: Re: [tycho-user] Converting a P2 update-site into a maven repository
Next by Date: Re: [tycho-user] Converting a P2 update-site into a maven repository
Previous by thread: Re: [tycho-user] Signing jars and P2
Next by thread: Re: [tycho-user] Signing jars and P2
Index(es):
- Date
- Thread

Breadcrumbs