geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Kirby (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMODEVTOOLS-521) Sign features so the eclipse update manager recognizes them as signed
Date Tue, 13 Jan 2009 21:27:03 GMT

    [ https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663479#action_12663479
] 

Ted Kirby commented on GERONIMODEVTOOLS-521:
--------------------------------------------

Thanks Delos.  I am not sure what to make of the keystore and password.  No doubt something
like this is required for signing.  I'm not sure if and how we want to go forward with this
in terms of incorporating it with our build.  It does not appear to be an Apache requirement
to sign the eclipse jars.  I found this eclipse link on Jar Signing: http://wiki.eclipse.org/index.php/JAR_Signing.
 This discusses signing during an automated build, including procedure for using an eclipse
machine and signature.  ServiceMix seems to use maven-gpg-plugin, but I don't know if this
is for eclipse plugins, or if that matters.  I can't tell if this is automated, and, if so,
where the passphrase is specified.  It seems that Apache prefers GPG for this sort of thing,
altho for signing eclipse plugins, this may not be required.  Certainly if we put passwords
in pom.xml files, this will not be secure.  On the other hand, we just wanted to sign jars,
so this may not matter.  Still, a signature implies validation, and having the key in a publicly
available pom.xml file would seem to undermine that claim.

Delos, how does this patch work?  Will it create a keystore if there is not one?  Will this
work for clean and non-clean mvn builds?  I appreciate your efforts it getting this working.
 I have concerns and questions about keys and signing.  I also seek input from others.

> Sign features so the eclipse update manager recognizes them as signed
> ---------------------------------------------------------------------
>
>                 Key: GERONIMODEVTOOLS-521
>                 URL: https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521
>             Project: Geronimo-Devtools
>          Issue Type: Bug
>          Components: eclipse-plugin
>    Affects Versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3
>            Reporter: Ted Kirby
>            Assignee: Tim McConnell
>             Fix For: 2.2.0
>
>         Attachments: 521.patch, 521_updated.patch
>
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message