[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] would it be possible for tycho to check the signing (and sign) all plugin jars that are put into the product?
|
On Wed, 2021-01-06 at 09:56 -0500, Jonah Graham wrote:
> Hi Johan,
>
> The Orbit has two cases:
>
> 1- Bundles are built with bndtools by Orbit as part of the build they
> are signed in the normal bundle signing way. The bundles don't have
> identical content to the maven central ones, differing in the
> manifest and legal "paperwork" in the bundles.
> 2- Orbit has some old bundles that Roland resigns on occasion, when
> he does that all the p2 metadata needs to be updated. It most
> recently happened for 2020-12 release. See Bug 553288 - the resigning
> happens with this orbit job
> (https://ci.eclipse.org/orbit/job/orbit-manual-signer/) but I don't
> know how the p2 metadata is repackaged.
The reason the orbit-recipes process works for signing is because it
contains modules that simply download one or more set of artifacts and
re-packages them as a new artifact produced by the build. The modules
have a packaging type that eclipse-jarsigner-plugin recognizes and so
it signs all generated artifacts of that module.
If there were a way to download an artifact and attach it to some
module (as if it were generated, but not), then as long as eclipse-
jarsigner-plugin recognized the packaging of the module, it should sign
all the artifacts.
The approach from (2) would only work if you don't already generate a
p2 repository, since as you mention, the signing modifies the
artifacts.
Cheers,
--
Roland Grunberg