Difference between integration test jar-signing and jar-signing-extra

[lppedd]

I was looking at different ways to sign our artifacts.
Seems like PGP stuff is not the best way to do it for us, so I'm left with jarsigner.

There are two integration tests for jarsigner.

• https://github.com/eclipse-tycho/tycho/tree/master/tycho-its/projects/jar-signing
• https://github.com/eclipse-tycho/tycho/tree/master/tycho-its/projects/jar-signing-extra

Correct me if I'm wrong:

• jar-signing uses maven-jarsigner-plugin for each Maven project, one at a time while building
• jar-signing-extra uses maven-jarsigner-plugin only over eclipse-repository packaging, updating all plugins in batch.
  Plus, it uses fix-artifacts-metadata as an additional step.

Am I right? And which approach would you pick today?

[laeubi]

Am I right?

Yes, also keep in mind that with first, you only sign items you currently build, while the second will also sign items you consume from elsewhere, especially with code-signing I won't recommend this, unless you really carefully have investigated your dependency chain, as all code signed with run under your name and your granted access rights!

And which approach would you pick today?

This depends on so many aspects that there is no generic answer (see above) if code signing is not only your vehicle for "I don't want to get a warning at install" ...

[lppedd]

will also sign items you consume

Ok, that's something I didn't consider. I think this is not what we want as dependencies should already be signed (e.g., BIRT, Apache stuff, etc.).

I don't want to get a warning at install

Mostly this, plus some more brand awareness.
The answer seems to be going for the first case, signing only our plugins while building.

Your consideration for case two could be added to the Javadoc of FixArtifactsMetadataMetadataMojo or somewhere else?

[laeubi]

If you think some documentation can be improved just suggest a PR, its always better to write it from a users perspective than from a programmers perspective.