You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Ted Kirby (JIRA)" <ji...@apache.org> on 2009/01/13 22:27:03 UTC

[jira] Commented: (GERONIMODEVTOOLS-521) Sign features so the eclipse update manager recognizes them as signed

    [ https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663479#action_12663479 ] 

Ted Kirby commented on GERONIMODEVTOOLS-521:
--------------------------------------------

Thanks Delos.  I am not sure what to make of the keystore and password.  No doubt something like this is required for signing.  I'm not sure if and how we want to go forward with this in terms of incorporating it with our build.  It does not appear to be an Apache requirement to sign the eclipse jars.  I found this eclipse link on Jar Signing: http://wiki.eclipse.org/index.php/JAR_Signing.  This discusses signing during an automated build, including procedure for using an eclipse machine and signature.  ServiceMix seems to use maven-gpg-plugin, but I don't know if this is for eclipse plugins, or if that matters.  I can't tell if this is automated, and, if so, where the passphrase is specified.  It seems that Apache prefers GPG for this sort of thing, altho for signing eclipse plugins, this may not be required.  Certainly if we put passwords in pom.xml files, this will not be secure.  On the other hand, we just wanted to sign jars, so this may not matter.  Still, a signature implies validation, and having the key in a publicly available pom.xml file would seem to undermine that claim.

Delos, how does this patch work?  Will it create a keystore if there is not one?  Will this work for clean and non-clean mvn builds?  I appreciate your efforts it getting this working.  I have concerns and questions about keys and signing.  I also seek input from others.

> Sign features so the eclipse update manager recognizes them as signed
> ---------------------------------------------------------------------
>
>                 Key: GERONIMODEVTOOLS-521
>                 URL: https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521
>             Project: Geronimo-Devtools
>          Issue Type: Bug
>          Components: eclipse-plugin
>    Affects Versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3
>            Reporter: Ted Kirby
>            Assignee: Tim McConnell
>             Fix For: 2.2.0
>
>         Attachments: 521.patch, 521_updated.patch
>
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.