Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing CHE artifacts

Matthias is right. Sorry for not providing a link to that correct component. 

Note that won't be able to just sign the .zip or tar.gz that you will upload. From what I see in the archives, you redistribute tomcat and other jars. You have to check with your PMC whether these jars should be signed with the Eclipse Foundation certificate. Also, you will need to extract the files in the archives in order to sign the jars within them as they are not update site or p2 repo. The /usr/bin/sign service only handle zip with update or p2 repo layout. Of course, you will be able to re-create the archive once the files are signed. I suggest you use the webservice to sign the jars individually, it is faster.

Cheers,
Mikael

Le 10 mars 2016 à 22:55, Matthias Sohn <matthias.sohn@xxxxxxxxx> a écrit :

I think you can file a bug at
and ask for shell access to build.eclipse.org and signing permissions 

-Matthias

On Thu, Mar 10, 2016 at 4:35 PM, Roman Iuvshin <riuvshin@xxxxxxxxxxx> wrote:
Hi, tanks a lot for the reply.

Today we are allowed to upload only zip and tar.gz packagings. So everything we need is to sign after we upload our bundles. 
Could you please advice where we can issue request for permissions? As I understand what we did previoulsy is wrong and there is no way to sign bundles from where we've uploaded them  i/e 
scp -i ~/.ssh/eclipse_upload eclipse-che-4.0.0-RC11.tar.gz riuvshin@xxxxxxxxxxxxxxx:downloads/che/
So if I understand correctly we will get access to some place where we will be able to upload and sign using commandline tool our bundles and after that we will be able to upload it to downloads, is this correct?

as soon as we will be able to sign our bundles we will replace already uploaded (not signed ones.) 



On Wed, Mar 9, 2016 at 12:38 PM, Mikaël Barbero <mikael@xxxxxxxxxxx> wrote:
Hi Roman,

The foundation provides several signing services. They are only accessible from within the private LAN because, as Gunnar said, this is how we protect the Eclipse Foundation certificate from being used by anyone ;) The services are described on the wiki https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F. Find below some additional comments.


There are three ways to sign a jar @ eclipse.

OS X .app signing

Windows .exe signing

I you want to use the command line tool to sign jars, you have to fill a bug to ask for the permissions to use it as it is restricted to specific users.

Hope this helps.

Cheers,
Mikael


Le 9 mars 2016 à 10:16, Roman Iuvshin <riuvshin@xxxxxxxxxxx> a écrit :

Hi, thank you for response!
Yes I have some kind of access to build.eclipse.org but only a few commands are available, not sure If I can sign binaries this way.
We are using our own CI infrastructure and it seems adding maven plugins to our project's poms will not help.
So  can you please enumerate steps which I need to perform to sign Eclipse Che binaries? btw we've uploaded few RC versions using
scp -i ~/.ssh/eclipse_upload eclipse-che-4.0.0-RC11.tar.gz riuvshin@xxxxxxxxxxxxxxx:downloads/che/
Is there a way sign already uploaded bundle?

Thanks! 

On Wed, Mar 9, 2016 at 12:25 AM, Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
Hi Roman,

> Am 08.03.2016 um 15:51 schrieb Roman Iuvshin <riuvshin@xxxxxxxxxxx>:
> curl -o eclipse-che-4.0.0-RC11-signed.zip -F file=@eclipse-che-4.0.0-RC11.zip http://build.eclipse.org:31338/sign
> But it seems that this service available only within your special network.

This is correct. It's only available internally. Otherwise everyone on the internet would be able to sign artifacts with the Eclipse Foundation certificate. Do you have shell access to build.eclipse.org?

> Then I've found the maven plugin but I'm not sure where to add it and how to make sure that it works.

Have you seen the following article?
http://www.codetrails.com/blog/sign-your-eclipse-project

-Gunnar
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev


_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev


_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Back to the top