[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing CHE artifacts

Hi Roman,

The foundation provides several signing services. They are only accessible from within the private LAN because, as Gunnar said, this is how we protect the Eclipse Foundation certificate from being used by anyone ;) The services are described on the wiki https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F. Find below some additional comments.

Jar signing (in the JVM signing meaning http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html)

There are three ways to sign a jar @ eclipse.

OS X .app signing

Windows .exe signing

I you want to use the command line tool to sign jars, you have to fill a bug to ask for the permissions to use it as it is restricted to specific users.

Hope this helps.

Cheers,
Mikael


Le 9 mars 2016 Ã 10:16, Roman Iuvshin <riuvshin@xxxxxxxxxxx> a Ãcrit :

Hi, thank you for response!
Yes I have some kind of access to build.eclipse.org but only a few commands are available, not sure If I can sign binaries this way.
We are using our own CI infrastructure and it seems adding maven plugins to our project's poms will not help.
So  can you please enumerate steps which I need to perform to sign Eclipse Che binaries? btw we've uploaded few RC versions using
scp -i ~/.ssh/eclipse_upload eclipse-che-4.0.0-RC11.tar.gz riuvshin@xxxxxxxxxxxxxxx:downloads/che/
Is there a way sign already uploaded bundle?

Thanks! 

On Wed, Mar 9, 2016 at 12:25 AM, Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
Hi Roman,

> Am 08.03.2016 um 15:51 schrieb Roman Iuvshin <riuvshin@xxxxxxxxxxx>:
> curl -o eclipse-che-4.0.0-RC11-signed.zip -F file=@xxxxxxxxxxxxxxxxxxxxxxxxxx http://build.eclipse.org:31338/sign
> But it seems that this service available only within your special network.

This is correct. It's only available internally. Otherwise everyone on the internet would be able to sign artifacts with the Eclipse Foundation certificate. Do you have shell access to build.eclipse.org?

> Then I've found the maven plugin but I'm not sure where to add it and how to make sure that it works.

Have you seen the following article?
http://www.codetrails.com/blog/sign-your-eclipse-project

-Gunnar
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail