Hi, I'm looking ahead-of-time for the at SLING-3098 -Set up code signing for the p2 artifacts . The gist of it is:
- when installing Eclipse plugins, these should be signed. Otherwise, a dialog pops up about installing unsigned plugins, see for instance [1] - we currently do not have the ability to generate ASF-backed code signing certificates [2] Note that this is different from GPG signing releases, we need to sign them using the jarsigner tool ( driven by Maven ). I see the following possibilities: 1. Do not sign the plug-ins, live with the warning (for now) 2. Sign the plugin-ins using a self-signed certificate. That brings up a confusing dialog though, see [3] 3. Sign the plug-ins using a non-ASF code signing certificate. I already have one set up for Open Source usage only from certum [4] , ( [email protected], CN=Open Source Developer, Robert Munteanu, O=Open Source Developer, C=RO ) Thoughts? Robert [1]: http://developandroid.blogopogo.com/files/2012/03/adt_plug_in_eclipse_unsigned_content_blogopogo.jpg [2]: https://issues.apache.org/jira/browse/INFRA-3991 [3]: http://nirmalsasidharan.files.wordpress.com/2010/09/signed12.png [4]: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
