www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Fedorenko <i...@ifedorenko.com>
Subject Re: Signing jars
Date Thu, 08 Sep 2011 03:30:20 GMT
Not sure what the question is. I only know how Eclipse signing
infrastructure is used by build-and-release engineers and have no
insights how it is setup internally. From b&r point of view, Eclipse
provides a way to submit jar files (or zip files with many jars) for
signing and get signed jars/zips back. I _think_ signing itself happens
on a dedicated machine which cannot be connected to over network. I
am almost certain the signing certificate (or certificates?) never leave
that machine, but I don't know anything beyond that.

As for 'singing in the middle', this problem is specific to Tycho and is
not a property of Eclipse signing infrastructure per se. Allowing
explicit ordering of plugin executions configured in pom.xml and coming
from default lifecycle is one way to solving this problem, but there are
other ways too. I can provide more details, but tycho-dev is probably
more appropriate place for this.

--
Regards,
Igor

On 11-09-07 8:29 PM, Benson Margulies wrote:
> My turn to drag in someone else. I am hoping that Igor is willing to
> join us; he's a first-person expert on how java jar signing plays out
> at Eclipse and where it fits into the build lifecycle and could fit in
> at Apache.
>
> Bill, could you please help me out by filling in the rest of the
> details of what Microsoft rejects? It looks to me as if the situation
> you are describing is:
>
>     ROOT ->  (e.g.) Verisign ->  CORP .......... OK
>     ROOT ->  (e.g.) Verisign ->  CORP ->  PERSON ....... NO
>
> For Dennis, the general issue is that, for Eclipse, the signing of the
> jars is 'in the middle' of building out the whole release, and changes
> the jars. It's not something you can do at the end.

Mime
View raw message