Great infos, thanks a lot Benjamin! On Fri, Jan 16, 2015 at 1:30 PM, Denis Roy <[email protected]> wrote:
> Thanks, Benjamin. I've updated the Wiki doc to immortalize the wisdom > you have bestowed upon us. > > > https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F > > Denis > > > > On 16/01/15 01:24 PM, Benjamin Cabé wrote: > > Hi Fred, > > JAR signing of the bundles and GPG-signing of the Maven artifacts are > two different steps. Once a jar has been "jar-signed", you may or may not > GPG sign the corresponding Maven artifact (.jar + .pom file) so as it can > be deployed on Central. As you hinted, JAR signing has to be done before the > GPG signing, since doing it the other way around would break the GPG > signature. > > So you first have to sign your org.eclipse.m2e.workspace.cli JAR file > with the Eclipse Fdn certificate, either using the Maven plugin from CBI, > the command line utility, or the signing web service – see [1]. > Once you have your signed JAR, you can GPG sign it and stage it on Central > like this: > mvn gpg:sign-and-deploy-file > > -DpomFile=target/myapp-1.0.pom > > -Dfile=target/myapp-1.0.jar > > -Durl=http://oss.sonatype.org/service/local/staging/deploy/maven2/ > > -DrepositoryId=sonatype_oss > > I hope this helps. FWIW we are trying to improve our GPG signing story > and provide more guidance to projects regarding GPG in general so stay > tuned… > > [1] > https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F > > Hope this helps! > > * ------------------------------* > *Benjamin Cabé* > > Eclipse Foundation > +33 (0) 619196101 > @kartben <https://twitter.com/kartben> > > [image: EclipseCon 2015] <http://www.eclipsecon.org/na2015> > > De : Fred Bricon <[email protected]> > Répondre à : Cross project issues <[email protected]> > Date : vendredi 16 janvier 2015 19:04 > À : Cross project issues <[email protected]> > Objet : [cross-project-issues-dev] Any pointers on how to Eclipse-sign > AND GPG-sign a jar? > > Hi, > > m2e depends on a jar ( > http://git.eclipse.org/c/m2e/org.eclipse.m2e.workspace.git/tree/org.eclipse.m2e.workspace.cli) > that is deployed on Maven Central. The problem is, it's GPG signed on a > non-Eclipse server in order to be able to be deployed on Central, but that > means it doesn't have the Eclipse signature. As a result, Eclipse complains > about unsigned jar while installing m2e. > > Do you have any recommended strategy to make both Central and Eclipse > happy, signature-wise? Won't signing a jar break the 1st signature? > > Yes this is totally not my area of expertise :-) > > Fred > > -- > "Have you tried turning it off and on again" - The IT Crowd > _______________________________________________ cross-project-issues-dev > mailing list [email protected] To change your delivery > options, retrieve your password, or unsubscribe from this list, visit > https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > > _______________________________________________ > cross-project-issues-dev mailing [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, > visithttps://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > > _______________________________________________ > cross-project-issues-dev mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- "Have you tried turning it off and on again" - The IT Crowd
_______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
