Re: [cbi-dev] Signing CHE artifacts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cbi-dev] Signing CHE artifacts

From: Mikaël Barbero <mikael@xxxxxxxxxxx>
Date: Wed, 9 Mar 2016 11:38:11 +0100
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cbi-dev>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

Hi Roman,

The foundation provides several signing services. They are only accessible from within the private LAN because, as Gunnar said, this is how we protect the Eclipse Foundation certificate from being used by anyone ;) The services are described on the wiki https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F. Find below some additional comments.

Jar signing (in the JVM signing meaning http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html)

There are three ways to sign a jar @ eclipse.

use the web service. It can be called from the command line on build.eclipse.org curl -o signedfile.jar -F file=@unsigned-jar.jar http://build.eclipse.org:31338/sign
use the cbi maven plugin (https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/plugin-info.html which uses the webservice as a backend, see https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/sign-mojo.html#signerUrl). I don't think it is not an option for you as you don't run your build on the Eclipse CI infrastructure.
use the command line tool (see https://wiki.eclipse.org/IT_Infrastructure_Doc#ZIP_and_JAR_files_from_the_command_line_.28queued_or_not.29). This is interesting because you can submit multiple jars at once within a zip. Note that the zip must follow an update site or repository layout).

OS X .app signing

use the web service. It can be called from the command line on build.eclipse.org curl -o signed.zip -F file=@unsigned.zip http://build.eclipse.org:31338/macsign.php
use the cbi maven plugin (https://www.eclipse.org/cbi/sitedocs/eclipse-macsigner-plugin/plugin-info.html which uses the webservice as a backend, see https://www.eclipse.org/cbi/sitedocs/eclipse-macsigner-plugin/sign-mojo.html#signerUrl). I don't think it is not an option for you as you don't run your build on the Eclipse CI infrastructure.

Windows .exe signing

use the web service. It can be called from the command line on build.eclipse.org curl -o signed.exe -F file=@unsigned.exe http://build.eclipse.org:31338/winsign.php
use the cbi maven plugin (https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/plugin-info.html which uses the webservice as a backend, see https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/sign-mojo.html#signerUrl). I don't think it is not an option for you as you don't run your build on the Eclipse CI infrastructure.

I you want to use the command line tool to sign jars, you have to fill a bug to ask for the permissions to use it as it is restricted to specific users.

Hope this helps.

Cheers,

Mikael

Le 9 mars 2016 à 10:16, Roman Iuvshin <riuvshin@xxxxxxxxxxx> a écrit :

Hi, thank you for response!
Yes I have some kind of access to build.eclipse.org but only a few commands are available, not sure If I can sign binaries this way.
We are using our own CI infrastructure and it seems adding maven plugins to our project's poms will not help.
So can you please enumerate steps which I need to perform to sign Eclipse Che binaries? btw we've uploaded few RC versions using
scp -i ~/.ssh/eclipse_upload eclipse-che-4.0.0-RC11.tar.gz riuvshin@xxxxxxxxxxxxxxx:downloads/che/
Is there a way sign already uploaded bundle?

Thanks!

On Wed, Mar 9, 2016 at 12:25 AM, Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
Hi Roman,

> Am 08.03.2016 um 15:51 schrieb Roman Iuvshin <riuvshin@xxxxxxxxxxx>:
> curl -o eclipse-che-4.0.0-RC11-signed.zip -F file=@eclipse-che-4.0.0-RC11.zip http://build.eclipse.org:31338/sign
> But it seems that this service available only within your special network.

This is correct. It's only available internally. Otherwise everyone on the internet would be able to sign artifacts with the Eclipse Foundation certificate. Do you have shell access to build.eclipse.org?

> Then I've found the maven plugin but I'm not sure where to add it and how to make sure that it works.

Have you seen the following article?
http://www.codetrails.com/blog/sign-your-eclipse-project

-Gunnar
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Follow-Ups:
- Re: [cbi-dev] Signing CHE artifacts
  - From: Roman Iuvshin

References:
- [cbi-dev] Signing CHE artifacts
  - From: Roman Iuvshin
- Re: [cbi-dev] Signing CHE artifacts
  - From: Gunnar Wagenknecht
- Re: [cbi-dev] Signing CHE artifacts
  - From: Roman Iuvshin

Prev by Date: Re: [cbi-dev] Signing service configuration
Next by Date: Re: [cbi-dev] Signing service configuration
Previous by thread: Re: [cbi-dev] Signing CHE artifacts
Next by thread: Re: [cbi-dev] Signing CHE artifacts
Index(es):
- Date
- Thread

Breadcrumbs