You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2014/05/28 22:33:03 UTC
svn commit: r1598130 - in /sling/trunk/tooling/ide: README.txt pom.xml
Author: rombert
Date: Wed May 28 20:33:02 2014
New Revision: 1598130
URL: http://svn.apache.org/r1598130
Log:
SLING-3098 - Set up code signing for the p2 artifacts
Add a 'sign' profile which activates the maven-jarsigner-plugin. Also
document the prerequisites in the top-level README.txt .
Modified:
sling/trunk/tooling/ide/README.txt
sling/trunk/tooling/ide/pom.xml
Modified: sling/trunk/tooling/ide/README.txt
URL: http://svn.apache.org/viewvc/sling/trunk/tooling/ide/README.txt?rev=1598130&r1=1598129&r2=1598130&view=diff
==============================================================================
--- sling/trunk/tooling/ide/README.txt (original)
+++ sling/trunk/tooling/ide/README.txt Wed May 28 20:33:02 2014
@@ -67,4 +67,56 @@ the target platform is set up, you can c
Now you can use the 'Sling IDE Tooling' launch configuration which is present
in the org.apache.sling.ide.target-definition project to launch a local instance
-of Eclipse with Sling IDE Tooling plug-ins picked up from the local workspace.
\ No newline at end of file
+of Eclipse with Sling IDE Tooling plug-ins picked up from the local workspace.
+
+How to generate a signed release
+--------------------------------
+
+The build can be configured to sign the generated jars with a code signing
+certificates. This prevents unsigned content errors from appearing when
+installing the plugins and reassures the user that the content comes from
+a trusted source.
+
+Please note that this is different from GPG signatures.
+
+The following steps are needed to sign the generated jars.
+
+1. Obtain a code signing certificate. At the moment the ASF does not provide
+such a service, so you will have to obtain one yourself. One free possibility
+is Certum [1]. Expect at least two weeks of processing time, so plan this
+ahead of time.
+
+2. Import the certificate chain into a local keystore. The best approach is to
+install the certificate into a browser and ensure that the whole certificate
+chain is present. For Certum that would by the Certum CA, the Certum Level 3
+CA and the code signing certificate. Backup the certificates from Fireox
+and then import them into the keystore, with a command similar to
+
+ keytool -importkeystore -destkeystore keystore_certum.jks -srckeystore \
+ backup.p12 -srcstoretype pkcs12
+
+3. Insert properties controlling jarsigner behaviour in your settings.xml
+
+ <settings>
+ <profiles>
+ <profile>
+ <id>sign</id>
+
+ <properties>
+ <jarsigner.alias>certum-codesigning</jarsigner.alias>
+ <jarsigner.storepass>changeit</jarsigner.storepass>
+ <jarsigner.tsa>http://time.certum.pl/</jarsigner.tsa>
+ <!-- needed since we mix packages between projects -->
+ <skipTests>true</skipTests>
+ <jarsigner.keystore>/home/users/keystore_certum.jks</jarsigner.keystore>
+ </properties>
+ </profile>
+ </profiles>
+ </settings>
+
+At this point you can launch a build using
+
+ mvn clean package -Psign
+
+All jars will be signed, and should install without any warnings.
+[1]: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
\ No newline at end of file
Modified: sling/trunk/tooling/ide/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/tooling/ide/pom.xml?rev=1598130&r1=1598129&r2=1598130&view=diff
==============================================================================
--- sling/trunk/tooling/ide/pom.xml (original)
+++ sling/trunk/tooling/ide/pom.xml Wed May 28 20:33:02 2014
@@ -94,4 +94,32 @@
<tycho.version>0.20.0</tycho.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
+
+ <profiles>
+ <profile>
+ <id>sign</id>
+ <activation>
+ <property>
+ <name>jarsigner.alias</name>
+ </property>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jarsigner-plugin</artifactId>
+ <version>1.3</version>
+ <executions>
+ <execution>
+ <id>sign</id>
+ <goals>
+ <goal>sign</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>