Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?

Hi Johan,

The Orbit has two cases:

1- Bundles are built with bndtools by Orbit as part of the build they are signed in the normal bundle signing way. The bundles don't have identical content to the maven central ones, differing in the manifest and legal "paperwork" in the bundles.
2- Orbit has some old bundles that Roland resigns on occasion, when he does that all the p2 metadata needs to be updated. It most recently happened for 2020-12 release. See Bug 553288 - the resigning happens with this orbit job (https://ci.eclipse.org/orbit/job/orbit-manual-signer/) but I don't know how the p2 metadata is repackaged. 

HTH,
Jonah


~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com


On Wed, 6 Jan 2021 at 09:39, Johan Compagner <jcompagner@xxxxxxxxxx> wrote:
yes as far as i know all the apache stuff that are on maven (commons, dbcp) are not signed..
because who would do that? who can get there hands on those signing certificates?
not sure if apache has stuff for that in place (like eclipse does)

i think thats why eclipse has orbit right?

which are all signed by eclipse,

i guess thats done by CBI tools that makes that orbit, (or is that done by hand by a person? download that commons io jar from maven central, sign it and then make the orbit dump....)

so orbit does fix it for us, but orbit is just a subset and a bit slow in updating stuff so not always an option.

thats why i would like that tycho does that for me
So we move the signing part from the plugin/jar compile/build part completely and move it to when the plugin/jar (Thats is build or that is from a 3rd party source)  is used in a end "product"

that end product can ofcourse be a realy product but also just a p2 site itself. 
But i guess if we would implement this in the correct location the product would be auto done because the product is build from a generated repository right?




On Wed, 6 Jan 2021 at 15:08, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
 > Have you tried contributing to upstream projects so they can get those
 > artifacts signed?

Just keep in mind that there's a world outside eclipse and its often
undesirable for OS-projects to sign them either because one has to pay
for a certificate, its to difficult to mange one or there is simply no
organization that could hold as the certificate owner.

Am 06.01.21 um 15:05 schrieb Mickael Istria:
>
>
> On Wed, Jan 6, 2021 at 1:59 PM Johan Compagner <jcompagner@xxxxxxxxxx
> <mailto:jcompagner@xxxxxxxxxx>> wrote:
>
>     isn't the maven-jarsigner-plugin only used for plugins that you
>     build yourself?
>     So the plugin projects with pom files that are compiled, built,
>     repacked, and signed by tycho?
>
>
> That's right.
>
>     which makes a p2 site for us where the jars are coming from all
>     kinds of things (mostly from maven central)
>
>
> Have you tried contributing to upstream projects so they can get those
> artifacts signed?
> Or do you really need those 3rd party artifacts to be signed by your own
> certificate? In which case, then those become different artifacts, and
> you'd need to re-build or repackage them (ideally changing the
> Bundle-Vendor in MANIFEST to explicit it's not an "official" upstream
> artifact).
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
>
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user


--
Johan Compagner
Servoy
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

Back to the top