[jira] Commented: (GERONIMODEVTOOLS-521) Sign features so the eclipse update manager recognizes them as signed

Tue, 13 Jan 2009 13:27:39 -0800 

    [ 
https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663479#action_12663479
 ] 

Ted Kirby commented on GERONIMODEVTOOLS-521:
--------------------------------------------

Thanks Delos.  I am not sure what to make of the keystore and password.  No 
doubt something like this is required for signing.  I'm not sure if and how we 
want to go forward with this in terms of incorporating it with our build.  It 
does not appear to be an Apache requirement to sign the eclipse jars.  I found 
this eclipse link on Jar Signing: 
http://wiki.eclipse.org/index.php/JAR_Signing.  This discusses signing during 
an automated build, including procedure for using an eclipse machine and 
signature.  ServiceMix seems to use maven-gpg-plugin, but I don't know if this 
is for eclipse plugins, or if that matters.  I can't tell if this is automated, 
and, if so, where the passphrase is specified.  It seems that Apache prefers 
GPG for this sort of thing, altho for signing eclipse plugins, this may not be 
required.  Certainly if we put passwords in pom.xml files, this will not be 
secure.  On the other hand, we just wanted to sign jars, so this may not 
matter.  Still, a signature implies validation, and having the key in a 
publicly available pom.xml file would seem to undermine that claim.

Delos, how does this patch work?  Will it create a keystore if there is not 
one?  Will this work for clean and non-clean mvn builds?  I appreciate your 
efforts it getting this working.  I have concerns and questions about keys and 
signing.  I also seek input from others.

> Sign features so the eclipse update manager recognizes them as signed
> ---------------------------------------------------------------------
>
>                 Key: GERONIMODEVTOOLS-521
>                 URL: 
> https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521
>             Project: Geronimo-Devtools
>          Issue Type: Bug
>          Components: eclipse-plugin
>    Affects Versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3
>            Reporter: Ted Kirby
>            Assignee: Tim McConnell
>             Fix For: 2.2.0
>
>         Attachments: 521.patch, 521_updated.patch
>
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to