Hi Fred, JAR signing of the bundles and GPG-signing of the Maven artifacts are two different steps. Once a jar has been "jar-signed", you may or may not GPG sign the corresponding Maven artifact (.jar + .pom file) so as it can be deployed on Central. As you hinted, JAR signing has to be done before the GPG signing, since doing it the other way around would break the GPG signature.
So you first have to sign your org.eclipse.m2e.workspace.cli JAR file with the Eclipse Fdn certificate, either using the Maven plugin from CBI, the command line utility, or the signing web service see [1]. Once you have your signed JAR, you can GPG sign it and stage it on Central like this: mvn gpg:sign-and-deploy-file > -DpomFile=target/myapp-1.0.pom > -Dfile=target/myapp-1.0.jar > -Durl=http://oss.sonatype.org/service/local/staging/deploy/maven2/ > -DrepositoryId=sonatype_oss I hope this helps. FWIW we are trying to improve our GPG signing story and provide more guidance to projects regarding GPG in general so stay tuned [1] https://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3 F Hope this helps! Benjamin Cabé Eclipse Foundation +33 (0) 619196101 @kartben <https://twitter.com/kartben> <http://www.eclipsecon.org/na2015> De : Fred Bricon <fbri...@gmail.com> Répondre à : Cross project issues <cross-project-issues-dev@eclipse.org> Date : vendredi 16 janvier 2015 19:04 À : Cross project issues <cross-project-issues-dev@eclipse.org> Objet : [cross-project-issues-dev] Any pointers on how to Eclipse-sign AND GPG-sign a jar? > Hi, > > m2e depends on a jar > (http://git.eclipse.org/c/m2e/org.eclipse.m2e.workspace.git/tree/org.eclipse.m > 2e.workspace.cli) that is deployed on Maven Central. The problem is, it's GPG > signed on a non-Eclipse server in order to be able to be deployed on Central, > but that means it doesn't have the Eclipse signature. As a result, Eclipse > complains about unsigned jar while installing m2e. > > Do you have any recommended strategy to make both Central and Eclipse happy, > signature-wise? Won't signing a jar break the 1st signature? > > Yes this is totally not my area of expertise :-) > > Fred > > -- > "Have you tried turning it off and on again" - The IT Crowd > _______________________________________________ cross-project-issues-dev > mailing list cross-project-issues-dev@eclipse.org To change your delivery > options, retrieve your password, or unsubscribe from this list, visit > https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev