This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-ide-tooling.git
The following commit(s) were added to refs/heads/master by this push:
new 39176a06 SLING-11680 - Eclipse plugins: Switch from Jarsigning to
external GPG signatures (#46)
39176a06 is described below
commit 39176a0625a7f57dcad6ddff927ec9fd6572d7bf
Author: Robert Munteanu <[email protected]>
AuthorDate: Mon Sep 15 14:00:25 2025 +0200
SLING-11680 - Eclipse plugins: Switch from Jarsigning to external GPG
signatures (#46)
- drop the jarsigner profile altogether
- use the GPG profile when creating releases
- remove jarsigner references from the Jenkinsfile
---
Jenkinsfile | 29 ++++-----------
eclipse/p2update/pom.xml | 92 +-----------------------------------------------
2 files changed, 7 insertions(+), 114 deletions(-)
diff --git a/Jenkinsfile b/Jenkinsfile
index f2cc92e7..72fcf954 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -85,31 +85,14 @@ def generateStages(String os, def mvnVersion, def
javaVersion) {
}
def buildAndDeployP2Repository( def mvnVersion, def javaVersion ) {
- // for optional signing a dedicated node needs to be leveraged
- node('ubuntu') { // use label pkcs11 for signing with digicert
+ node('ubuntu') {
stage('Build P2 Repository') {
- echo "Running on node ${env.NODE_NAME} with PKCS#11
config at ${env.PKCS11_CONFIG}"
+ echo "Running on node ${env.NODE_NAME}"
checkout scm
- // set up environment variables according to
https://docs.digicert.com/de/digicert-one/secure-software-manager/ci-cd-integrations/maven-integration-with-pkcs11.html
- withCredentials([
- file(credentialsId:
'sling-digicert-pkcs-certificate', variable: 'SM_CLIENT_CERT_FILE'),
- string(credentialsId:
'sling-digicert-pkcs-cert-pw', variable: 'SM_CLIENT_CERT_PASSWORD'),
- string(credentialsId:
'sling-digicert-pkcs-api-key', variable: 'SM_API_KEY')]) {
- //
https://docs.digicert.com/de/digicert-one/secure-software-manager/client-tools/configure-environment-variables.html
- // redirecting log to another file does not
work for some reason
-
withEnv(['SM_LOG_LEVEL=ERROR','SM_HOST=https://clientauth.one.digicert.com']) {
- try {
- withMaven(maven: mvnVersion,
jdk: javaVersion, mavenLocalRepo: '.repository', options:
[artifactsPublisher(disabled: true)]) {
- timeout(20) {
- // build with profile
"sign-with-jarsigner" for signing
- runCmd 'mvn -f eclipse/p2update
clean verify -e'
- }
- }
- } catch (e) {
- // reenable next line to expose further
infos about signature errors
- //echo('smpkcs11.log: ' +
readFile(file: "${env.HOME}/.signingmanager/logs/smpkcs11.log"))
- throw e
- }
+ withMaven(maven: mvnVersion, jdk: javaVersion, mavenLocalRepo:
'.repository', options: [artifactsPublisher(disabled: true)]) {
+ timeout(20) {
+ // nightly builds are not GPG-signed
+ runCmd 'mvn -f eclipse/p2update clean verify -e'
}
}
}
diff --git a/eclipse/p2update/pom.xml b/eclipse/p2update/pom.xml
index 66718e08..03229062 100644
--- a/eclipse/p2update/pom.xml
+++ b/eclipse/p2update/pom.xml
@@ -89,103 +89,13 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<configuration>
-
<releaseProfiles>apache-release,sign-with-jarsigner</releaseProfiles>
+
<releaseProfiles>apache-release,sign-with-gpg</releaseProfiles>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<profiles>
- <profile>
- <!-- this profile is automatically active during
release:perform
- each signature costs the ASF money, therefore
only activate during releases
- -->
- <id>sign-with-jarsigner</id>
- <build>
- <plugins>
- <plugin>
-
<groupId>org.apache.maven.plugins</groupId>
-
<artifactId>maven-enforcer-plugin</artifactId>
- <executions>
- <execution>
-
<id>enforce-digicert-one-env-variables</id>
- <goals>
-
<goal>enforce</goal>
- </goals>
- <configuration>
- <rules>
-
<requireProperty>
-
<property>env.PKCS11_CONFIG</property>
-
</requireProperty>
-
<!-- the ones listed at
https://docs.digicert.com/de/digicert-one/secure-software-manager/ci-cd-integrations/maven-integration-with-pkcs11.html
-->
-
<requireProperty>
-
<property>env.SM_CLIENT_CERT_PASSWORD</property>
-
</requireProperty>
-
<requireProperty>
-
<property>env.SM_CLIENT_CERT_FILE</property>
-
</requireProperty>
-
<requireProperty>
-
<property>env.SM_API_KEY</property>
-
</requireProperty>
- </rules>
- </configuration>
- </execution>
- </executions>
- </plugin>
- <plugin>
-
<groupId>org.apache.maven.plugins</groupId>
-
<artifactId>maven-jarsigner-plugin</artifactId>
- <version>3.0.0</version>
- <executions>
- <execution>
- <id>sign</id>
- <goals>
-
<goal>sign</goal>
- </goals>
-
<phase>prepare-package</phase> <!-- must happen after "assemble-repository" but
before "fix-artifacts-metadata" -->
- <configuration>
-
<keystore>NONE</keystore>
-
<alias>Sling-PMC-2022-09</alias>
-
<storepass>none</storepass>
-
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
-
<storetype>PKCS11</storetype>
-
<providerArg>${env.PKCS11_CONFIG}</providerArg>
-
<tsa>http://timestamp.digicert.com</tsa>
-
<verbose>true</verbose>
-
<processMainArtifact>false</processMainArtifact>
-
<archiveDirectory>${project.build.directory}/repository/plugins</archiveDirectory>
-
<includes>
-
<!-- only sign our own artifacts -->
-
<include>org.apache.sling.*.jar</include>
-
</includes>
- </configuration>
- </execution>
- </executions>
- </plugin>
- <!-- fix metadata of repository after
signing -->
- <plugin>
-
<groupId>org.eclipse.tycho</groupId>
-
<artifactId>tycho-p2-repository-plugin</artifactId>
-
<version>${tycho.version}</version>
- <executions>
- <execution>
-
<id>update-metadata-after-signing</id>
- <goals>
-
<goal>fix-artifacts-metadata</goal>
- </goals>
-
<phase>prepare-package</phase><!-- must happen after "sign" but before
"archive-repository" -->
- </execution>
- <execution>
- <id>verify</id>
- <goals>
-
<goal>verify-repository</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
<profile>
<id>sign-with-gpg</id>
<build>
