Re: [tycho-user] Skipping Default Eclipse Digital Signature in generated

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file

From: "Fauth Dirk (XC-ECO/ESM1)" <Dirk.Fauth@xxxxxxxxxxxx>
Date: Tue, 2 Feb 2021 05:39:32 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=de.bosch.com; dmarc=pass action=none header.from=de.bosch.com; dkim=pass header.d=de.bosch.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QYyqqxohQA65Ii5Hrwgvos04D+zvfkALiBeV2+9CEg4=; b=gfxxWnqX1w64ZexWLS/35wrGKbwP3gq06uq3xZ/2CkdWWTP3aOQJ90aze0WRUFskBe+GVx7FDh0CbW0PmFSSZUgvlDuL4cDGrCxrZrNA9KIhQ+fXVm9jj8nM+GbgfirBRPTbGa30+yjEjJ0/+pmfipYUIaa/ErRomxi0vn15y8j8cvG4eWIWBr1fKdnBzEVmXnvvLINpgIDQ51FGFGphfRNrw4y8ZJ0m8LoyCp4c7FqcvoY1ZNw7j0GmJWXI4dHq/WFOsGPlNNrqxVaUzyOK93UUbTvqogWzUGFOmA7+n+5RMOV9xkIjSZtuKwqY+bZigSVrtGJ4SApQ/wsC6eh/9g==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EeB549QJOwY052+tnNmIOtzOeE6sa7/1rHWsiUxSgCMAmSStLLmMLRVB1WV8SXQfUTrK1uBZnQk5gOtBxHYBEl6NEPWkLSbRVuWwN/ZIK8eDyHjURZ+OQMkEHRh1TZFkFds1BDL7F7Mfnv+sfwfZ/DebyFZsN1Oier2F00JzAreYUQmQMuzBlmTKCPuenna/T0mBDbGZWD4Kq/4iVLa9Ly0e5K74zi0tprzzOuNb0I56BljlravEMNb8kUT3Zm8viwQ3Fby5FFnjuXuZUNdjmsuESp+AC5J3O9ukXEpC73K7ZgA8Lby3UzXHSuhO0Gf4hnCp/HbR/uq6qAaoa0PfIw==
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tycho-user/>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>
Thread-index: Adb4vhpdyTWU6CO9TnmrHfjiIJ4IBwACQMSAABbDcoA=
Thread-topic: [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file

Hi,

It seems there is still a misunderstanding. The EXE file is NOT generated at build time by Tycho. It is already built and provided by Eclipse via an update site. Other Tycho builds just consume the published executable.

From the documentation [1]:

“The equinox launcher comes in 3 pieces: the native executable (eclipse.exe), a shared library (eclipse_1017.dll) and the launcher jar (org.eclipse.equinox.launcher_1.0.0.jar). The executable lives in the root of the eclipse install. The shared library is in a platform specific fragment (i.e. org.eclipse.equinox.launcher.win32.win32.x86). The shared library and the launcher jar live in the plugins directory.”

The artifacts are available via Git [2].

IIRC the executables in the Eclipse p2 repo are signed since 4.13 according to this ticket [3]. Previously only the executables in the products published by Eclipse (namely the Eclipse IDE) were signed, not the ones in the repository. Following the comments in the referenced ticket it was decided to sign the executables in the repository also, because unsigned executables cause issues in current operating system versions. And as the executable is build and provided by Eclipse, it is now signed and sealed to ensure that nobody modifies it if it is consumed via Eclipse update sites.

If you need an unsigned executable from 4.13 on, you probably will need to build the launcher [4] yourself. Then you can sign it with a company signature afterwards. Not sure if the executable in [2] is already signed, but that should be easy to test.

[1] https://www.eclipse.org/equinox/documents/quickstart-framework.php

[2] https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/tree/

[3] https://bugs.eclipse.org/bugs/show_bug.cgi?id=548431

[4] https://git.eclipse.org/c/equinox/rt.equinox.framework.git/tree/bundles/org.eclipse.equinox.launcher/

Mit freundlichen Grüßen / Best regards

Dirk Fauth

Cross-Domain Computing Solutions, Cross Automotive Platforms - System, Software and Tools Engineering Engineering Software Methods and Tools1 (XC-ECO/ESM1)
Robert Bosch GmbH | Postfach 30 02 40 | 70442 Stuttgart | GERMANY | www.bosch.com
Tel. +49 711 811-57819 | Telefax +49 711 811 | Dirk.Fauth@xxxxxxxxxxxx

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke

Von: tycho-user <tycho-user-bounces@xxxxxxxxxxx> Im Auftrag von Jonah Graham
Gesendet: Montag, 1. Februar 2021 19:22
An: Tycho user list <tycho-user@xxxxxxxxxxx>
Cc: Narayana Swamy Ramesh (RBEI/EMT1) <Ramesh.NarayanaSwamy@xxxxxxxxxxxx>
Betreff: Re: [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file

Hello,

I was wondering what progress you have made since you raised this same question in August[1]? As mentioned in the August conversation and associated bug[2], the signing is not done by tycho, the input eclipse.exe is signed by Eclipse. FWIW, you (and no one outside of builds run on Eclipse Foundation servers) can sign anything with the Eclipse Foundation signature.

You may find this SO q&a[3] useful, it is some info about removing a signature.

[1] https://www.eclipse.org/lists/tycho-user/msg08610.html

[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=565937

[3] https://stackoverflow.com/a/40173109/2796832

Jonah

~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com

On Mon, 1 Feb 2021 at 12:17, Sathish Kumar Maheshwaran (RBEI/EMT1) <SathishKumar.Maheswaran@xxxxxxxxxxxx> wrote:

Hello Users,

We are facing an issue while building an Eclipse RCP in Eclipser Version (V4.14) via tycho. The RCP that is generated out of the materialize products goal is automatically signed by eclipse. This behavior does not happen in Eclipse Version (4.8) and is happening only in the later versions.

Is there any tycho goal which we can add to disable the signing process for the executable. Thanks in advance.

N

Mit freundlichen Grüßen / Best regards

Maheshwaran Sathish Kumar

AUTOSAR MSR editors (RBEI/EMT1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 422 6191179 | Fax +91 422 663-4104 | Threema / Threema Work: +914226764154 | SathishKumar.Maheswaran@xxxxxxxxxxxx

Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

References:
- [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file
  - From: Sathish Kumar Maheshwaran (RBEI/EMT1)
- Re: [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file
  - From: Jonah Graham

Prev by Date: Re: [tycho-user] tycho-user Digest, Vol 126, Issue 3 : Skipping Eclipse Default Signature
Next by Date: [tycho-user] tycho-eclipserun-plugin: set multiple JDKs in runtime workspace
Previous by thread: Re: [tycho-user] Skipping Default Eclipse Digital Signature in generated product exe file
Next by thread: Re: [tycho-user] tycho-user Digest, Vol 126, Issue 3 : Skipping Eclipse Default Signature
Index(es):
- Date
- Thread

Breadcrumbs