[jira] [Updated] (UIMA-6444) Automatically sign Eclipse plugins during release builds

Thu, 12 May 2022 06:41:09 -0700 


     [ 
https://issues.apache.org/jira/browse/UIMA-6444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Eckart de Castilho updated UIMA-6444:
---------------------------------------------
    Description: 
*Note:* we do have detached PGP signatures for the Eclipse update site 
artifacts - it is mandatory according to the ASF release policy - but they are 
currently not included in such a way that Eclipse can verify them and offer the 
user to trust them during the plugin installation process.

----

Currently, we do not sign the Eclipse plugins because it is extra effort and 
the old way of using the Symantec Service are gone anyway.

There is a new jarsigning approach which could be used.

Alternatively, it is meanwhile possible to embed PGP signatures in P2 
repositories.

Let's see which of these options are viable for us.

  was:
Currently, we do not sign the Eclipse plugins because it is extra effort and 
the old way of using the Symantec Service are gone anyway.

There is a new jarsigning approach which could be used.

Alternatively, it is meanwhile possible to embed PGP signatures in P2 
repositories.

Let's see which of these options are viable for us.


> Automatically sign Eclipse plugins during release builds
> --------------------------------------------------------
>
>                 Key: UIMA-6444
>                 URL: https://issues.apache.org/jira/browse/UIMA-6444
>             Project: UIMA
>          Issue Type: Improvement
>            Reporter: Richard Eckart de Castilho
>            Assignee: Richard Eckart de Castilho
>            Priority: Major
>             Fix For: 3.4.0SDK
>
>
> *Note:* we do have detached PGP signatures for the Eclipse update site 
> artifacts - it is mandatory according to the ASF release policy - but they 
> are currently not included in such a way that Eclipse can verify them and 
> offer the user to trust them during the plugin installation process.
> ----
> Currently, we do not sign the Eclipse plugins because it is extra effort and 
> the old way of using the Symantec Service are gone anyway.
> There is a new jarsigning approach which could be used.
> Alternatively, it is meanwhile possible to embed PGP signatures in P2 
> repositories.
> Let's see which of these options are viable for us.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to