[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [tycho-user] Signing jars and P2
|
I probably misunderstood how you intent to use webservices to sign jars.
In any case, there are ways to implement signing that does not require
build system to have direct access to the singing certificate. There is
in fact a maven plugin that signs builds using eclipse infrastructure
and problems with lifecycle is the only technical reason this plugin
cannot be easily used as part of Tycho build.
--
Regards,
Igor
On 11-09-03 9:44 PM, Benson Margulies wrote:
On Sat, Sep 3, 2011 at 9:21 PM, Igor Fedorenko<igor@xxxxxxxxxxxxxx> wrote:
To make sure I understand, what is going to talk to a remote webservice
for signing artifacts, currently released version of
maven-jarsigner-plugin [1], a future version of of maven-jarsigner
plugin or some other (yet to be written?) maven plugin?
First of all, this is hypothetical so far.
Second of all, my personal vague plan as a maven committer is to add
client support to the existing maven-jarsigner-plugin -- but it is
early days.
And, to be clear, problems singing releases with Tycho are not specific
to Eclipse infra.
Does the Eclipse signing infrastructure allow you to run the
maven/tycho build on the protected machine with the private key? The
impression I got from your previous message this morning was that it
does not, and that produces an additional problem over and above the
lifecycle issue. If you can run the build with the
previously-described workaround on the designated machine at Eclipse,
I see that the situation would be precisely the same as the proposed
situation at Apache.
These problems are caused by bad interaction of the
way maven lifeycle inheritance works and how we decided to manage p2
metadata during the build. You'll have exactly the same problem signing
releases at Apache or, in fact, anywhere else until we implement one of
the two solutions I mentioned earlier.
[1] http://maven.apache.org/plugins/maven-jarsigner-plugin/
--
Regards,
Igor
On 11-09-03 1:01 PM, Benson Margulies wrote:
What are you talking about? Do you even know how it works at Eclipse?
The signing of artifacts that go out as official releases at Eclipse must
pass through a highly secured machine for signing, and it's the only
mechanism by which something can be signed.
Jason,
I knew that, Igor knows that, and it poses a problem for Tycho builds
-- according to Igor, who knows much more about it than I do.
Meanwhile, over at ASF infrastructure, there is a discussion going on
about how to sign official *Apache* releases. The goal is to have just
as much control as Eclipse.org has, but still allow a maven plugin to
do the signing via a web service in the midst of a build, which is
what is required to work with Tycho.
I perceived a tiny bit of humor in the possibility that we might end
up in a situation in which it is less cumbersome to make a
fully-signed release of an Eclipse plugin with Tycho at Apache than at
Eclipse. Emphasis on 'tiny'.
Is that clear?
--benson
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user
