Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] Signing jars and P2 
On Sat, Sep 3, 2011 at 9:21 PM, Igor Fedorenko <igor@xxxxxxxxxxxxxx> wrote:
> To make sure I understand, what is going to talk to a remote webservice
> for signing artifacts, currently released version of
> maven-jarsigner-plugin [1], a future version of of maven-jarsigner
> plugin or some other (yet to be written?) maven plugin?

First of all, this is hypothetical so far.

Second of all, my personal vague plan as a maven committer is to add
client support to the existing maven-jarsigner-plugin -- but it is
early days.


>
> And, to be clear, problems singing releases with Tycho are not specific
> to Eclipse infra.

Does the Eclipse signing infrastructure allow you to run the
maven/tycho build on the protected machine with the private key? The
impression I got from your previous message this morning was that it
does not, and that produces an additional problem over and above the
lifecycle issue. If you can run the build with the
previously-described workaround on the designated machine at Eclipse,
I see that the situation would be precisely the same as the proposed
situation at Apache.


These problems are caused by bad interaction of the
> way maven lifeycle inheritance works and how we decided to manage p2
> metadata during the build. You'll have exactly the same problem signing
> releases at Apache or, in fact, anywhere else until we implement one of
> the two solutions I mentioned earlier.
>
> [1] http://maven.apache.org/plugins/maven-jarsigner-plugin/
>
> --
> Regards,
> Igor
>
> On 11-09-03 1:01 PM, Benson Margulies wrote:
>>>
>>> What are you talking about? Do you even know how it works at Eclipse?
>>> The signing of artifacts that go out as official releases at Eclipse must
>>> pass through a highly secured machine for signing, and it's the only
>>> mechanism by which something can be signed.
>>
>> Jason,
>>
>> I knew that, Igor knows that, and it poses a problem for Tycho builds
>> -- according to Igor, who knows much more about it than I do.
>>
>> Meanwhile, over at ASF infrastructure, there is a discussion going on
>> about how to sign official *Apache* releases. The goal is to have just
>> as much control as Eclipse.org has, but still allow a maven plugin to
>> do the signing via a web service in the midst of a build, which is
>> what is required to work with Tycho.
>>
>> I perceived a tiny bit of humor in the possibility that we might end
>> up in a situation in which it is less cumbersome to make a
>> fully-signed release of an Eclipse plugin with Tycho at Apache than at
>> Eclipse. Emphasis on 'tiny'.
>>
>> Is that clear?
>>
>> --benson
>> _______________________________________________
>> tycho-user mailing list
>> tycho-user@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/tycho-user
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/tycho-user
>

Back to the top