You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by Marshall Schor <ms...@schor.com> on 2011/12/05 16:30:18 UTC
signing Jars for Eclipse
Every time people install one of our plugins, they get a warning message about
installing "unsigned" Jars.
We do "sign" the Jars, but not with Eclipse Jar-signing techniques, which (if I
recall correctly) require a "Certificate" issued by an officially sanctioned
certificating agency (for a fee).
We sign our Jars using the same PGP method we use for other Jars, which
generates an .asc file.
Is there any way to tie these two methods together, so our Eclipse Jars appear
"signed" by Eclipse?
-Marshall
Re: signing Jars for Eclipse
Posted by Marshall Schor <ms...@schor.com>.
More info:
This link for Eclipse Jar signing: http://wiki.eclipse.org/JAR_Signing
This link for 3rd party (that would include ASF) Jar signing performance issues:
http://wiki.eclipse.org/JAR_Signing#What_effect_does_signing_have_on_runtime_behaviour.3F
On 12/5/2011 10:30 AM, Marshall Schor wrote:
> Every time people install one of our plugins, they get a warning message about
> installing "unsigned" Jars.
>
> We do "sign" the Jars, but not with Eclipse Jar-signing techniques, which (if I
> recall correctly) require a "Certificate" issued by an officially sanctioned
> certificating agency (for a fee).
>
> We sign our Jars using the same PGP method we use for other Jars, which
> generates an .asc file.
>
> Is there any way to tie these two methods together, so our Eclipse Jars appear
> "signed" by Eclipse?
>
> -Marshall
>
Re: signing Jars for Eclipse
Posted by Brian Fox <br...@infinity.nu>.
The pgp signing you're doing produces a detached signature. Eclipse is
looking for some embedded signature produced by jarsigner, they are
related but not the same.
On Mon, Dec 5, 2011 at 10:30 AM, Marshall Schor <ms...@schor.com> wrote:
> Every time people install one of our plugins, they get a warning message about
> installing "unsigned" Jars.
>
> We do "sign" the Jars, but not with Eclipse Jar-signing techniques, which (if I
> recall correctly) require a "Certificate" issued by an officially sanctioned
> certificating agency (for a fee).
>
> We sign our Jars using the same PGP method we use for other Jars, which
> generates an .asc file.
>
> Is there any way to tie these two methods together, so our Eclipse Jars appear
> "signed" by Eclipse?
>
> -Marshall