So I managed to configure the eclipse-jarsigner-plugin. Below I'll provide a small Howto and share my experience:
1. Clone the git repository:
https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/
2. Build yourself the webservice jar with mvn clean install, which is under
webservice/signing/jar.
3. Copy the jar file from target and copy the template configuration file from
https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties in the same folder
4. create a keystore with your certificate and use the same password for the keystore and keypass.
5. change the jar-signing-service.properties.
6. In the parent pom you need the following changes:
<plugin>
<groupId>org.eclipse.cbi.maven.plugins</groupId>
<artifactId>eclipse-jarsigner-plugin</artifactId>
<version>
1.1
.
0
</version>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
<phase>verify</phase>
</execution>
</executions>
<configuration>
<signerUrl>http:
</configuration>
</plugin>
......
<pluginRepositories>
<pluginRepository>
<id>eclipse</id>
<name>Eclipse
Plugin Repository</name>
<url>https:
<layout>
default
</layout>
<snapshots>
<enabled>
false
</enabled>
</snapshots>
<releases>
<updatePolicy>never</updatePolicy>
</releases>
</pluginRepository>
Thank you Andreas for the tip and Mikael for your help.
P.S: You need a newer mvn and java 8
--
Best regards,
Aleksandar Toshovski
On 02/10/15 10:32, Mikael Barbero wrote:
Hi Aleksandar,
I was wondering, do you sign your plugins and how do you manage your
keystores containing the certificates?
well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)
Of course with this solution, you need to protect the access to the webservice, otherwise anybody can sign jars with the certificate. We achieve that by keeping it behind our firewall, and only machines from the same origin can call it.
Cheers,
Mikael
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-user