Re: [tycho-user] Signing jars and P2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Signing jars and P2

From: Benson Margulies <bimargulies@xxxxxxxxx>
Date: Sat, 3 Sep 2011 22:23:11 -0400
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>

On Sat, Sep 3, 2011 at 10:09 PM, Igor Fedorenko <igor@xxxxxxxxxxxxxx> wrote:
> I probably misunderstood how you intent to use webservices to sign jars.
> In any case, there are ways to implement signing that does not require
> build system to have direct access to the singing certificate. There is
> in fact a maven plugin that signs builds using eclipse infrastructure
> and problems with lifecycle is the only technical reason this plugin
> cannot be easily used as part of Tycho build.

OK, we were precisely parallel in misunderstanding. On with the show.

With a maven release visible in the mid-term horizon, either or both
of us could tackle the lifecycle issue.

>
> --
> Regards,
> Igor
>
> On 11-09-03 9:44 PM, Benson Margulies wrote:
>>
>> On Sat, Sep 3, 2011 at 9:21 PM, Igor Fedorenko<igor@xxxxxxxxxxxxxx>
>>  wrote:
>>>
>>> To make sure I understand, what is going to talk to a remote webservice
>>> for signing artifacts, currently released version of
>>> maven-jarsigner-plugin [1], a future version of of maven-jarsigner
>>> plugin or some other (yet to be written?) maven plugin?
>>
>> First of all, this is hypothetical so far.
>>
>> Second of all, my personal vague plan as a maven committer is to add
>> client support to the existing maven-jarsigner-plugin -- but it is
>> early days.
>>
>>
>>>
>>> And, to be clear, problems singing releases with Tycho are not specific
>>> to Eclipse infra.
>>
>> Does the Eclipse signing infrastructure allow you to run the
>> maven/tycho build on the protected machine with the private key? The
>> impression I got from your previous message this morning was that it
>> does not, and that produces an additional problem over and above the
>> lifecycle issue. If you can run the build with the
>> previously-described workaround on the designated machine at Eclipse,
>> I see that the situation would be precisely the same as the proposed
>> situation at Apache.
>>
>>
>> These problems are caused by bad interaction of the
>>>
>>> way maven lifeycle inheritance works and how we decided to manage p2
>>> metadata during the build. You'll have exactly the same problem signing
>>> releases at Apache or, in fact, anywhere else until we implement one of
>>> the two solutions I mentioned earlier.
>>>
>>> [1] http://maven.apache.org/plugins/maven-jarsigner-plugin/
>>>
>>> --
>>> Regards,
>>> Igor
>>>
>>> On 11-09-03 1:01 PM, Benson Margulies wrote:
>>>>>
>>>>> What are you talking about? Do you even know how it works at Eclipse?
>>>>> The signing of artifacts that go out as official releases at Eclipse
>>>>> must
>>>>> pass through a highly secured machine for signing, and it's the only
>>>>> mechanism by which something can be signed.
>>>>
>>>> Jason,
>>>>
>>>> I knew that, Igor knows that, and it poses a problem for Tycho builds
>>>> -- according to Igor, who knows much more about it than I do.
>>>>
>>>> Meanwhile, over at ASF infrastructure, there is a discussion going on
>>>> about how to sign official *Apache* releases. The goal is to have just
>>>> as much control as Eclipse.org has, but still allow a maven plugin to
>>>> do the signing via a web service in the midst of a build, which is
>>>> what is required to work with Tycho.
>>>>
>>>> I perceived a tiny bit of humor in the possibility that we might end
>>>> up in a situation in which it is less cumbersome to make a
>>>> fully-signed release of an Eclipse plugin with Tycho at Apache than at
>>>> Eclipse. Emphasis on 'tiny'.
>>>>
>>>> Is that clear?
>>>>
>>>> --benson
>>>> _______________________________________________
>>>> tycho-user mailing list
>>>> tycho-user@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/tycho-user
>>>
>>> _______________________________________________
>>> tycho-user mailing list
>>> tycho-user@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/tycho-user
>>>
>> _______________________________________________
>> tycho-user mailing list
>> tycho-user@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/tycho-user
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/tycho-user
>

References:
- [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Igor Fedorenko
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Jason van Zyl
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Igor Fedorenko
- Re: [tycho-user] Signing jars and P2
  - From: Benson Margulies
- Re: [tycho-user] Signing jars and P2
  - From: Igor Fedorenko

Prev by Date: Re: [tycho-user] Signing jars and P2
Next by Date: Re: [tycho-user] Converting a P2 update-site into a maven repository
Previous by thread: Re: [tycho-user] Signing jars and P2
Next by thread: [tycho-user] Converting a P2 update-site into a maven repository
Index(es):
- Date
- Thread

Breadcrumbs