[jbosstools-issues] [JBoss JIRA] (JBIDE-13407) Jar signing for JBT plugins/features

Nick Boldt (JIRA) jira-events at lists.jboss.org
Fri Jun 21 14:14:21 EDT 2013 

    [ https://issues.jboss.org/browse/JBIDE-13407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783711#comment-12783711 ] 

Nick Boldt edited comment on JBIDE-13407 at 6/21/13 2:12 PM:
-------------------------------------------------------------

When installing from http://download.jboss.org/jbosstools/builds/staging/jbosstools-base.signed_master/all/repo/, I was not prompted to accept installation of unsigned content! (Actually, I am prompted for the SOURCE features, but not the binaries.)

So, we can use the *jbosscodesign2009* certificate in jobs to sign all the content we build. If we implement this for ALL the jobs, we'll have everything that we build signed. Exceptions include org.eclipse or org.sonatype deps that are not signed... we COULD sign them, but should we?

Not sure how to force the source plugins to be signed.
                
      was (Author: nickboldt):
    When installing from http://download.jboss.org/jbosstools/builds/staging/jbosstools-base.signed_master/all/repo/, I was not prompted to accept installation of unsigned content! (Actually, I am prompted for the SOURCE features, but not the binaries.)

So, we can use the *jbosscodesign2009* certificate in jobs to sign all the content we build. If we implement this for ALL the jobs, we'll have everything that we build signed.

Not sure how to force the source plugins to be signed.
                  
> Jar signing for JBT plugins/features
> ------------------------------------
>
>                 Key: JBIDE-13407
>                 URL: https://issues.jboss.org/browse/JBIDE-13407
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: Build/Releng, updatesite
>    Affects Versions: 3.3.2.Final, 4.0.0.Final, 4.1.0.Alpha1
>            Reporter: Nick Boldt
>            Assignee: Nick Boldt
>             Fix For: 4.2.0.Alpha1
>
>         Attachments: dialog_do-you-trust-these-certs.png, jbds-signed-plugins.png, JBDS6-STS272-install-from-central-Unsigned-Content-Warning.png, no-more-jboss-unsigned-content-but-what-about-org.sonatype.png
>
>
> Investigate jar signing processes/options and locations of certs we can use for signing of JBIDE / JBTIS community jars for repackaging into JBDS product.
> Goal is to avoid seeing warning about installing unsigned content from Eclipse Marketplace, p2 installer, or JBoss Central.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list