You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2014/05/28 22:33:03 UTC

svn commit: r1598130 - in /sling/trunk/tooling/ide: README.txt pom.xml

Author: rombert
Date: Wed May 28 20:33:02 2014
New Revision: 1598130

URL: http://svn.apache.org/r1598130
Log:
SLING-3098 - Set up code signing for the p2 artifacts

Add a 'sign' profile which activates the maven-jarsigner-plugin. Also
document the prerequisites in the top-level README.txt .

Modified:
    sling/trunk/tooling/ide/README.txt
    sling/trunk/tooling/ide/pom.xml

Modified: sling/trunk/tooling/ide/README.txt
URL: http://svn.apache.org/viewvc/sling/trunk/tooling/ide/README.txt?rev=1598130&r1=1598129&r2=1598130&view=diff
==============================================================================
--- sling/trunk/tooling/ide/README.txt (original)
+++ sling/trunk/tooling/ide/README.txt Wed May 28 20:33:02 2014
@@ -67,4 +67,56 @@ the target platform is set up, you can c
 
 Now you can use the 'Sling IDE Tooling' launch configuration which is present 
 in the org.apache.sling.ide.target-definition project to launch a local instance
-of Eclipse with Sling IDE Tooling plug-ins picked up from the local workspace.  
\ No newline at end of file
+of Eclipse with Sling IDE Tooling plug-ins picked up from the local workspace.
+
+How to generate a signed release
+--------------------------------
+
+The build can be configured to sign the generated jars with a code signing
+certificates. This prevents unsigned content errors from appearing when
+installing the plugins and reassures the user that the content comes from
+a trusted source.
+
+Please note that this is different from GPG signatures.
+
+The following steps are needed to sign the generated jars.
+
+1. Obtain a code signing certificate. At the moment the ASF does not provide
+such a service, so you will have to obtain one yourself. One free possibility
+is Certum [1]. Expect at least two weeks of processing time, so plan this
+ahead of time.
+
+2. Import the certificate chain into a local keystore. The best approach is to
+install the certificate into a browser and ensure that the whole certificate
+chain is present. For Certum that would by the Certum CA, the Certum Level 3
+CA and the code signing certificate.  Backup the certificates from Fireox
+and then import them into the keystore, with a command similar to
+
+	keytool -importkeystore -destkeystore keystore_certum.jks -srckeystore \
+		backup.p12 -srcstoretype pkcs12 
+
+3. Insert properties controlling jarsigner behaviour in your settings.xml
+
+	<settings>
+	    <profiles>
+	        <profile>
+	            <id>sign</id>        
+	
+	            <properties>
+	                <jarsigner.alias>certum-codesigning</jarsigner.alias>
+	                <jarsigner.storepass>changeit</jarsigner.storepass>
+	                <jarsigner.tsa>http://time.certum.pl/</jarsigner.tsa>
+	                <!-- needed since we mix packages between projects -->
+	                <skipTests>true</skipTests>
+	                <jarsigner.keystore>/home/users/keystore_certum.jks</jarsigner.keystore>
+	            </properties>
+	        </profile>
+	    </profiles>
+	</settings>
+
+At this point you can launch a build using
+
+	mvn clean package -Psign
+
+All jars will be signed, and should install without any warnings.
+[1]: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml 
\ No newline at end of file

Modified: sling/trunk/tooling/ide/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/tooling/ide/pom.xml?rev=1598130&r1=1598129&r2=1598130&view=diff
==============================================================================
--- sling/trunk/tooling/ide/pom.xml (original)
+++ sling/trunk/tooling/ide/pom.xml Wed May 28 20:33:02 2014
@@ -94,4 +94,32 @@
 		<tycho.version>0.20.0</tycho.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 	</properties>
+
+    <profiles>
+        <profile>
+            <id>sign</id>
+            <activation>
+                <property>
+                    <name>jarsigner.alias</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-jarsigner-plugin</artifactId>
+                        <version>1.3</version>
+                        <executions>
+                            <execution>
+                                <id>sign</id>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>