[tycho-dev] Processing artifacts from a p2 update site generated by an eclipse-repository module

Discussion:

Robert Munteanu

2017-06-22 15:42:53 UTC

Hi,

I am trying to get code signing to work with Tycho. I am required to
use a third-party code signing service, which expects me to upload
multiple jar files and in return will give me the signed files.

My first attempt was to write a small Maven plug-in which does just
that and configure it in my eclipse-repository module. However, I
can't insert it in the right point. I would assume this would be
between default-assemble-repository and default-archive-repository, so
that the plug-ins are located under target/repository/plugins but the
metadata is not yet generated. prepare-package is too early, package
is too late.

My second attempt was to manually perform the code signing and replace
the files. However, according to [1] this is not a safe approach.

Third attempt is to locate the reactor dependencies at runtime and
sign those artifacts. WIth a snippet like

for (Artifact dep : project.getDependencyArtifacts() ) {
getLog().info("Found dependency " + dep + " at " +
dep.getFile());
}

I would only get the eclipse-feature dependencies from the reactor,
and dep.getFile() returns null.

At this point I'm out of ideas.

How can I process the artifacts included in an eclipse-repository
before the packaging occurs?

Thanks,

Robert

(Please keep me on CC, I'm not subscribed to this list)

[1]: https://www.eclipse.org/forums/index.php/t/1084723/

--
http://robert.muntea.nu/

Sievers, Jan

2017-06-23 12:52:13 UTC

Permalink

I don't have a running build with code signing myself but I know the eclipse platform build does using eclipse-jarsigner-plugin.
AFAIK they sign individal jars for each plugin/feature by replacing them in the corresponding target/ folder.

Perhaps looking at
https://github.com/eclipse/eclipse.platform.releng.aggregator/blob/master/eclipse-platform-parent/pom.xml

could help. Or try to contact cbi-***@eclipse.org

Regards
Jan

On 22.06.17, 17:42, "tycho-dev-***@eclipse.org on behalf of Robert Munteanu" <tycho-dev-***@eclipse.org on behalf of ***@gmail.com> wrote:

Hi,

I am trying to get code signing to work with Tycho. I am required to
use a third-party code signing service, which expects me to upload
multiple jar files and in return will give me the signed files.

My first attempt was to write a small Maven plug-in which does just
that and configure it in my eclipse-repository module. However, I
can't insert it in the right point. I would assume this would be
between default-assemble-repository and default-archive-repository, so
that the plug-ins are located under target/repository/plugins but the
metadata is not yet generated. prepare-package is too early, package
is too late.

My second attempt was to manually perform the code signing and replace
the files. However, according to [1] this is not a safe approach.

Third attempt is to locate the reactor dependencies at runtime and
sign those artifacts. WIth a snippet like

for (Artifact dep : project.getDependencyArtifacts() ) {
getLog().info("Found dependency " + dep + " at " +
dep.getFile());
}

I would only get the eclipse-feature dependencies from the reactor,
and dep.getFile() returns null.

At this point I'm out of ideas.

How can I process the artifacts included in an eclipse-repository
before the packaging occurs?

Thanks,

Robert

(Please keep me on CC, I'm not subscribed to this list)

[1]: https://www.eclipse.org/forums/index.php/t/1084723/

--
http://robert.muntea.nu/

Sievers, Jan

2017-06-23 12:56:39 UTC

Permalink

replacing jar files all at once in eclipse-repository will probably not work because signing changes MD5 sums which are part of the p2 metadata.

Jan

On 23.06.17, 14:52, "tycho-dev-***@eclipse.org on behalf of Sievers, Jan" <tycho-dev-***@eclipse.org on behalf of ***@sap.com> wrote:

I don't have a running build with code signing myself but I know the eclipse platform build does using eclipse-jarsigner-plugin.
AFAIK they sign individal jars for each plugin/feature by replacing them in the corresponding target/ folder.

Perhaps looking at
https://github.com/eclipse/eclipse.platform.releng.aggregator/blob/master/eclipse-platform-parent/pom.xml

could help. Or try to contact cbi-***@eclipse.org

Regards
Jan

On 22.06.17, 17:42, "tycho-dev-***@eclipse.org on behalf of Robert Munteanu" <tycho-dev-***@eclipse.org on behalf of ***@gmail.com> wrote:

Hi,

I am trying to get code signing to work with Tycho. I am required to
use a third-party code signing service, which expects me to upload
multiple jar files and in return will give me the signed files.

My first attempt was to write a small Maven plug-in which does just
that and configure it in my eclipse-repository module. However, I
can't insert it in the right point. I would assume this would be
between default-assemble-repository and default-archive-repository, so
that the plug-ins are located under target/repository/plugins but the
metadata is not yet generated. prepare-package is too early, package
is too late.

My second attempt was to manually perform the code signing and replace
the files. However, according to [1] this is not a safe approach.

Third attempt is to locate the reactor dependencies at runtime and
sign those artifacts. WIth a snippet like

for (Artifact dep : project.getDependencyArtifacts() ) {
getLog().info("Found dependency " + dep + " at " +
dep.getFile());
}

I would only get the eclipse-feature dependencies from the reactor,
and dep.getFile() returns null.

At this point I'm out of ideas.

How can I process the artifacts included in an eclipse-repository
before the packaging occurs?

Thanks,

Robert

(Please keep me on CC, I'm not subscribed to this list)

[1]: https://www.eclipse.org/forums/index.php/t/1084723/

--
http://robert.muntea.nu/
_______________________________________________
tycho-dev mailing list
tycho-***@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-dev

Robert Munteanu

2017-06-23 13:38:29 UTC

Permalink

Hi Jan,

Post by Sievers, Jan
replacing jar files all at once in eclipse-repository will probably not work because signing changes MD5 sums which are part of the p2 metadata.
Jan
I don't have a running build with code signing myself but I know the eclipse platform build does using eclipse-jarsigner-plugin.
AFAIK they sign individal jars for each plugin/feature by replacing them in the corresponding target/ folder.
Perhaps looking at
https://github.com/eclipse/eclipse.platform.releng.aggregator/blob/master/eclipse-platform-parent/pom.xml

Thanks for the link, I'll take a look. I forgot to mention that
signing files individually would not work as code signing is a metered
service and N invocations of 1 jar each cost N times as much as 1
invocation with N jars ...

I was looking into the tycho-p2-extras-plugin and I think I can get
away with the following in the eclipse-repository module:

- build the repository as usual
- invoke the code signing logic, replace the files in-place in target/repository
- invoke tycho-p2-extras-plugin:mirror goal and mirror the files from
target/repository to target/repository-signed
- invoke the tycho-p2-extras-plugin:publish-features-and-bundles and
regenerate the p2 metadata in target/repository-signed

That _should_ work, if anyone has worked with a similar setup I'd be
interested to know if it's viable.

Thanks,

Robert

Post by Sievers, Jan
Regards
Jan
Hi,
I am trying to get code signing to work with Tycho. I am required to
use a third-party code signing service, which expects me to upload
multiple jar files and in return will give me the signed files.
My first attempt was to write a small Maven plug-in which does just
that and configure it in my eclipse-repository module. However, I
can't insert it in the right point. I would assume this would be
between default-assemble-repository and default-archive-repository, so
that the plug-ins are located under target/repository/plugins but the
metadata is not yet generated. prepare-package is too early, package
is too late.
My second attempt was to manually perform the code signing and replace
the files. However, according to [1] this is not a safe approach.
Third attempt is to locate the reactor dependencies at runtime and
sign those artifacts. WIth a snippet like
for (Artifact dep : project.getDependencyArtifacts() ) {
getLog().info("Found dependency " + dep + " at " +
dep.getFile());
}
I would only get the eclipse-feature dependencies from the reactor,
and dep.getFile() returns null.
At this point I'm out of ideas.
How can I process the artifacts included in an eclipse-repository
before the packaging occurs?
Thanks,
Robert
(Please keep me on CC, I'm not subscribed to this list)
[1]: https://www.eclipse.org/forums/index.php/t/1084723/
--
http://robert.muntea.nu/
_______________________________________________
tycho-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-dev
_______________________________________________
tycho-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-dev
_______________________________________________
tycho-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-dev

--
http://robert.muntea.nu/