Twitter github

Eclipse.org Signing Support for Maven Tycho

I’m happy to announce that we have a first release of eclipse-maven-signing-plugin. If your project needs to sign your bundles as part of the Eclipse Indigo release, please give the plug-in a try. To get started with the plug-in, please add the proper maven.eclipse.org repository to your pom.xml…

  <pluginRepositories>
    <pluginRepository>
      <id>maven.eclipse.org</id>
      <url>http://maven.eclipse.org/nexus/content/repositories/milestone-indigo</url>
    </pluginRepository>
  </pluginRepositories>

After that, in the module that you generate your p2 repository, add this profile…

   <profiles>
    <profile>
     <id>build-server</id>
     <build>
       <plugins>
         <plugin>
           <groupId>org.eclipse.dash.maven</groupId>
           <artifactId>eclipse-maven-signing-plugin</artifactId>
           <version>1.0.0</version>
           <executions>
             <execution>
               <id>pack</id>
               <configuration>
                 <inputFile>${project.build.directory}/github-updatesite.zip</inputFile>
               </configuration>
               <phase>package</phase>
               <goals>
                 <goal>pack</goal>
               </goals>
             </execution>
             <execution>
               <id>sign</id>
               <configuration>
                 <inputFile>${project.build.directory}/github-updatesite.zip</inputFile>
                 <signerInputDirectory>/home/data/httpd/download-staging.priv/egit-github</signerInputDirectory>
               </configuration>
               <phase>package</phase>
               <goals>
                 <goal>sign</goal>
               </goals>
             </execution>
             <execution>
               <id>repack</id>
               <configuration>
                 <inputFile>${project.build.directory}/signed/site_assembly.zip</inputFile>
               </configuration>
               <phase>package</phase>
               <goals>
                 <goal>pack</goal>
               </goals>
             </execution>
             <execution>
               <id>fixCheckSums</id>
               <phase>package</phase>
               <goals>
                 <goal>fixCheckSums</goal>
               </goals>
             </execution>
           </executions>
         </plugin>
         <plugin>
             <artifactId>maven-antrun-plugin</artifactId>
             <executions>
               <execution>
                 <id>deploy</id>
                 <phase>install</phase>
                 <goals>
                   <goal>run</goal>
                 </goals>
                 <configuration>
                   <tasks>
                     <delete includeemptydirs="false">
                       <fileset
                         dir="/home/data/httpd/download.eclipse.org/egit/github/updates-nightly">
                         <include name="**" />
                       </fileset>
                     </delete>
                     <copy includeemptydirs="false"
                       todir="/home/data/httpd/download.eclipse.org/egit/github/updates-nightly">
                       <fileset dir="target/checksumFix">
                         <include name="**" />
                       </fileset>
                     </copy>
                   </tasks>
                 </configuration>
               </execution>
             </executions>
           </plugin>
    </plugins>
  </build>
  </profile>
  </profiles>

Then all you need to do is run your maven build with ‘-P build-server’ as an added goal.

There are a couple things you need to watch for in regards to paths. The first is to ensure that you have a directory on the build server where signing can happen, in the example above, it was /home/data/httpd/download-staging.priv/egit-github. If you don’t have the proper permissions to create a directory under /home/data/httpd/download-staging.priv, please open a bug against the webmaster. You also need to ensure that you point to the archived p2 repository that is generated as part of the maven build. In the case of our example above, it’s ${project.build.directory}/github-updatesite.zip. The second part of the profile publishes the results on download.eclipse.org so you need to ensure that the directory there (e.g., /home/data/httpd/download.eclipse.org/egit/github/updates-nightly) is writable by Hudson (e.g., chmod 777).

I hope that gets you started. I plan on updating the Minerva example by next week to include all of this information and have it migrated to the eclipse.org Dash project where everyone can use it. A special thanks goes to David Carver and Jesse McConnell in helping get this in place in time for the Eclipse Indigo release.

  • Anthony Dahanne

    Hello Chris!
    Thanks for 

  • Anthony Dahanne

     Hello Chris,
    Thanks for this article !
    I know the existence of the maven-jar-signer plugin; originally designed for “traditionnal” builds, it also works fine with Tycho (I’m using it to sign mmy bundles and features against a certificate and a timestamp authority); now I’m wondering why you would implement a new maven plugin specific to Tycho and eclipse.org…
    thanks again,
    Anthony

  • http://aniszczyk.org Chris Aniszczyk

    eclipse.org has a very esoteric signing process (essentially an executable /usr/bin/sign that is run on only on build.eclipse.org with limited access) so it needed a new plug-in.

    The maven-jar-signer plug-in isn’t sufficient. 

  • Mickael Istria

    Hi Chris,

    I just gave it a try for the GMF Tooling build (https://hudson.eclipse.org/hudson/view/Modeling/job/tycho-gmp.gmf.tooling/32/console) and the log tells me about a site_assembly.zip athough I have a configuration very similar to yours.
    The result is that my final repository (in the target/artifactId.zip file) does not contain the signature files in the contained bundles and features.

    Did you experiment troubles like those? How did you get rid of it and had all these operations performed on the same file?

  • http://aniszczyk.org Chris Aniszczyk

    Can you create a bug against this in Dash?

    Is this the file that gets copied over to the downloads area?

  • David Carver

     A better url to use for the pluginRepository is:

    http://maven.eclipse.org/nexus/content/groups/public/

  • http://aniszczyk.org Chris Aniszczyk

    I just realized the problem. I fixed the example in the blog, you can see this fix as an example of what went wrong…

    http://egit.eclipse.org/w/?p=egit-github.git;a=commitdiff;h=HEAD;hp=b60ec6d685162477b6017a3a2ab15861601cc633

    Does it work for you now Mickael? 

  • Kaloyan Raev

    Chris, I got the same problem when trying to use this plugin for the Libra project – the repository on the download server was with unsigned jars.

    But, after using your new example code, everything is fine now.

    Thank you, Dave and Jesse for this great plugin. It will save me a lot of time in the future.

  • Kaloyan Raev

    Chris, I noticed that each new build adds a new subfolder to the signing folder on the build server. It is not deleted after copying the signed binaries back to the hudson server. This will consume more and more file system resources over time if it is not cleaned manually.

    Can the plugin be improved in way that it deletes this singing subfolder?

  • http://aniszczyk.org Chris Aniszczyk

    Sure,  do you feel like contributing to it :)?

    http://git.eclipse.org/c/dash/org.eclipse.dash.maven.git/tree/

    I think it can be done in the SignMojo or ChecksumMojo.

  • http://twitter.com/greg_amerson Greg

     Hey Chris,

    I’m currently using Dash/Athena for building my eclipse plugins (not eclipse.org btw).  I am planning on migrating to tycho very soon.  As a part of the move I’d like to tackle signing plugins as well.  How much effort would it be to make this plugin work for non eclipse.org builds?

  • http://aniszczyk.org Chris Aniszczyk

    I think you’ll have an easier time since you don’t depend on an executable… how about just using the maven-jarsigner-plugin?

    http://maven.apache.org/plugins/maven-jarsigner-plugin/

  • Mickael Istria
  • Vincent Zurczak

    This plugin is really cool.
    Thanks Chris for this entry, it was very helpful.

  • Vivian Kong

    Hi Chris, I just tried using this with CDT builds and it works great!  Thanks!  After the p2 repo is generated, it is signed this handy plugin. Once the signing process is completed, the signed zip will be placed in %{signerInputDirectory}/[some hash key?]/signed. How do I configured it so it is placed in the %{signerInputDirectory}/signed folder instead?