[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] Question about signing and keystore management
|
Hi Aleksandar, I was wondering, do you sign your plugins and how do you manage your keystores containing the certificates?
well, on the Open Source side of things we use the Eclipse Foundations signing service through the eclipse-jarsigner-plugin. If you don't mind the admin work, you can also set up your own signing webservice and use the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would not need to distribute your keystore at all but can keep it on the webservice's server. (Disclaimer: I have not tried this.)
Of course with this solution, you need to protect the access to the webservice, otherwise anybody can sign jars with the certificate. We achieve that by keeping it behind our firewall, and only machines from the same origin can call it.
Cheers, Mikael |
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail