[
https://issues.apache.org/jira/browse/SLING-6585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16326283#comment-16326283
]
Robert Munteanu commented on SLING-6585:
----------------------------------------
I think I finally got this right. Using the codesign-maven-plugin ( [developed
for now in the
sling-whiteboard|https://github.com/apache/sling-whiteboard/tree/master/codesign]
) I was able to generate a signed repository. Diff below, pending a proper
release of the codesign-maven-plugin
{noformat}diff --git a/p2update/pom.xml b/p2update/pom.xml
index caeeda9d..c83f8357 100644
--- a/p2update/pom.xml
+++ b/p2update/pom.xml
@@ -66,6 +66,32 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>codesign-maven-plugin</artifactId>
+ <version>1.0.0-SNAPSHOT</version>
+ <configuration>
+ <userName>XXXREPLACE</userName>
+ <password>XXXREPLACE</password>
+ <partnerCode>XXXREPLACE</partnerCode>
+ <applicationName>Apache Sling IDE Tooling for
Eclipse</applicationName>
+ <applicationVersion>${qualifiedVersion}</applicationVersion>
+ <includeProjectArtifact>false</includeProjectArtifact>
+ <artifactSets>
+ <artifactSet>
+ <directory>target/repository/features</directory>
+ <include>org.apache.sling.*.jar</include>
+ </artifactSet>
+ <artifactSet>
+ <directory>target/repository/plugins</directory>
+ <include>org.apache.sling.*.jar</include>
+ </artifactSet>
+ </artifactSets>
+ <signingService>Java TEST Signing Sha256</signingService>
+ <keyStore>XXXREPLACE</keyStore>
+ <keyStorePassword>XXXREPLACE</keyStorePassword>
+ </configuration>
+ </plugin>
<!-- the update site is not expected to contain legal artifacts -->
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -76,4 +102,71 @@
</plugin>
</plugins>
</build>
+ <profiles>
+ <profile>
+ <id>codesign</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>codesign-maven-plugin</artifactId>
+ <version>1.0.0-SNAPSHOT</version>
+ <executions>
+ <execution>
+ <id>codesign</id>
+ <phase>package</phase>
+ <goals>
+ <goal>sign</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.eclipse.tycho.extras</groupId>
+ <artifactId>tycho-p2-extras-plugin</artifactId>
+ <version>${tycho.version}</version>
+ <configuration>
+ <source>
+ <repository>
+
<url>${project.build.directory}/repository</url>
+ </repository>
+ </source>
+
<destination>${project.build.directory}/repository-signed</destination>
+ </configuration>
+ <executions>
+ <execution>
+ <id>create-signed-repository</id>
+ <phase>package</phase>
+ <goals>
+ <goal>mirror</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-resources-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-index.html-to-signed-repository</id>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <phase>package</phase>
+ </execution>
+ </executions>
+ <configuration>
+
<outputDirectory>${project.build.directory}/repository-signed</outputDirectory>
+ <resources>
+ <resource>
+
<directory>${project.build.directory}/repository</directory>
+ <include>index.html</include>
+ </resource>
+ </resources>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>{noformat}
> Switch to the ASF code signing service
> --------------------------------------
>
> Key: SLING-6585
> URL: https://issues.apache.org/jira/browse/SLING-6585
> Project: Sling
> Issue Type: Task
> Components: IDE
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: Sling Eclipse IDE 1.2.0
>
>
> The Eclipse tooling code signing was done with a personal certificate by
> myself. I am no longer able to use that, so if we want to keep signing the
> plug-ins, we should use the solution made available by the ASF ( see
> https://reference.apache.org/pmc/codesigning ).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
