Thanks, Benjamin. I've updated the Wiki doc to immortalize the wisdom
you have bestowed upon us.
https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F
Denis
On 16/01/15 01:24 PM, Benjamin Cabé wrote:
Hi Fred,
JAR signing of the bundles and GPG-signing of the Maven artifacts are
two different steps. Once a jar has been "jar-signed", you may or may
not GPG sign the corresponding Maven artifact (.jar + .pom file) so as
it can be deployed on Central. As you hinted, JAR signing has to be
done before the GPG signing, since doing it the other way around would
break the GPG signature.
So you first have to sign your org.eclipse.m2e.workspace.cli JAR file
with the Eclipse Fdn certificate, either using the Maven plugin from
CBI, the command line utility, or the signing web service – see [1].
Once you have your signed JAR, you can GPG sign it and stage it on
Central like this:
mvn gpg:sign-and-deploy-file
> -DpomFile=target/myapp-1.0.pom
> -Dfile=target/myapp-1.0.jar
> -Durl=http://oss.sonatype.org/service/local/staging/deploy/maven2/
> -DrepositoryId=sonatype_oss
I hope this helps. FWIW we are trying to improve our GPG signing story
and provide more guidance to projects regarding GPG in general so stay
tuned…
[1]
https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F
*
*
Hope this helps!
*
------------------------------------------------------------------------
*
*Benjamin Cabé*
Eclipse Foundation
+33 (0) 619196101
@kartben <https://twitter.com/kartben>
EclipseCon 2015 <http://www.eclipsecon.org/na2015>
De : Fred Bricon <[email protected] <mailto:[email protected]>>
Répondre à : Cross project issues
<[email protected]
<mailto:[email protected]>>
Date : vendredi 16 janvier 2015 19:04
À : Cross project issues <[email protected]
<mailto:[email protected]>>
Objet : [cross-project-issues-dev] Any pointers on how to Eclipse-sign
AND GPG-sign a jar?
Hi,
m2e depends on a jar
(http://git.eclipse.org/c/m2e/org.eclipse.m2e.workspace.git/tree/org.eclipse.m2e.workspace.cli)
that is deployed on Maven Central. The problem is, it's GPG signed
on a non-Eclipse server in order to be able to be deployed on
Central, but that means it doesn't have the Eclipse signature. As
a result, Eclipse complains about unsigned jar while installing m2e.
Do you have any recommended strategy to make both Central and
Eclipse happy, signature-wise? Won't signing a jar break the 1st
signature?
Yes this is totally not my area of expertise :-)
Fred
--
"Have you tried turning it off and on again" - The IT Crowd
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
<mailto:[email protected]> To change your
delivery options, retrieve your password, or unsubscribe from this
list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
