[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
|
> Have you tried contributing to upstream projects so they can get those
> artifacts signed?
Just keep in mind that there's a world outside eclipse and its often
undesirable for OS-projects to sign them either because one has to pay
for a certificate, its to difficult to mange one or there is simply no
organization that could hold as the certificate owner.
Am 06.01.21 um 15:05 schrieb Mickael Istria:
On Wed, Jan 6, 2021 at 1:59 PM Johan Compagner <jcompagner@xxxxxxxxxx
<mailto:jcompagner@xxxxxxxxxx>> wrote:
isn't the maven-jarsigner-plugin only used for plugins that you
build yourself?
So the plugin projects with pom files that are compiled, built,
repacked, and signed by tycho?
That's right.
which makes a p2 site for us where the jars are coming from all
kinds of things (mostly from maven central)
Have you tried contributing to upstream projects so they can get those
artifacts signed?
Or do you really need those 3rd party artifacts to be signed by your own
certificate? In which case, then those become different artifacts, and
you'd need to re-build or repackage them (ideally changing the
Bundle-Vendor in MANIFEST to explicit it's not an "official" upstream
artifact).
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
