tycho-gpg-plugin:sign-p2-artifacts needs to go between tycho-p2-repository-plugin:tycho-p2-repository-plugin and tycho-p2-repository-plugin:archive-repository #2992
-
|
Hi, Is there a better way to made gpg signing before making the archive, we implemented a workaround (as it is shown in the following pease of xml), is this the way to do it? if it is I think that this could be improved. What do you think? ...
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-p2-repository-plugin</artifactId>
<executions>
<execution>
<id>default-assemble-repository</id>
<goals>
<goal>assemble-repository</goal>
</goals>
<phase>package</phase>
</execution>
<execution>
<id>default-archive-repository</id>
<goals>
<goal>archive-repository</goal>
</goals>
<phase>pre-integration-test</phase>
</execution>
</executions>
<configuration>
...
</configuration>
</plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-gpg-plugin</artifactId>
<executions>
<execution>
<id>gpgsigner</id>
<goals>
<goal>sign-p2-artifacts</goal>
</goals>
<configuration>
<verbose>true</verbose>
<skipIfJarsigned>true</skipIfJarsigned>
<passphrase>${gpg.passphrase}</passphrase>
<gpgArguments>
<arg>--verbose</arg>
</gpgArguments>
</configuration>
<phase>package</phase>
</execution>
</executions>
</plugin>
... |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 9 replies
-
|
The fact that the archived repo is missing PGP signatures is actually an issue in Tycho. You may want to open an issue for it so this can be improved in Tycho directly. Thinking further about it, the pgp sign mojo could be built-in the default lifecycle for In the meantime, yes, I think this workaround a good-ish way to do it ("whatever works"). |
Beta Was this translation helpful? Give feedback.
-
|
Built-in the default lifecycle for eclipse-repository would be the best IMHO. |
Beta Was this translation helpful? Give feedback.
-
|
Don't hesitate to submit a PR for that ;) |
Beta Was this translation helpful? Give feedback.
-
|
I don't think that's suitable from the default lifecycle, adding a mojo execution like you did is perfectly valid and how maven usually works, so I'm not sure why this is considered a workaround? How repositories are build is highly dependent on the use-case and PGP signing defiantly not the default. If one want to have it more automatic, instead reusing the signatures form the pgp-maven-plugin would be more suitable like we do for maven-p2-sites. |
Beta Was this translation helpful? Give feedback.
-
There is a more and more pressing recommendation from all software development actors to encourage more and more signing/trust markers in order to prevent attacks in the software delivery lifecycle. Enabling signatures by default in Tycho (and Maven but it's another story) would make sense; as long as it wouldn't cause regressions (eg just warn instead of fail when no pgp key is set). |
Beta Was this translation helpful? Give feedback.
-
|
As mentioned the industry standard is Apache Maven GPG Plugin and one should (or must(!) in case of maven central) sign artifacts when building/publishing, the way Eclipse platform does (only sign the update site and publish things after the fact) is in my opinion nothing I would advocate to the broader audience. As said, maven-p2-site already uses the signer info from Apache Maven GPG Plugin and it would be better to support that workflow here as well instead of making something the default that was invented to fulfill the very special demands of eclipse platform builds. |
Beta Was this translation helpful? Give feedback.
-
Yet it's pragmatically what works best for many projects, not just Eclipse Platform. So while the overall workflow might be questionable to you, it's still not deprecated in the absence of a more comfortable alternative to Signing the artifacts in the p2 repo is a way to say that as a provider of the p2 repo, I do trust the content I ship in this p2 repo; reusing signer info doesn't provide that at all; copying the signature from a 3rd party signer doesn't imply it's trusted by some other provider. |
Beta Was this translation helpful? Give feedback.
-
|
That's why I said there are so many different usages that there is nothing that fits all and configure what the user wants seems the best (and most flexible) way. |
Beta Was this translation helpful? Give feedback.
-
That's denying actual usage and user requests here and other tickets. You think there are "so many different usages" while looking at various Eclipse projects, at Eclipse.org and outside, 90% of usage in Tycho is about end with a p2 repository that's produced from an eclipse-repository module with a category.xml; and adding the |
Beta Was this translation helpful? Give feedback.
-
|
Adding such thing that don't work by default to the default lifecycle is actually very bad, I don't see that this improves anything as the user has to configure it anyways, so what do we save here? Actually only specify the execution, but we have that at other places as well so I still think this is nothing that belongs to the default life-cycle of a packaging type. |
Beta Was this translation helpful? Give feedback.
-
|
By the way I think we can better serve users by enhancing the documentation here: https://tycho.eclipseprojects.io/doc/master/tycho-gpg-plugin/plugin-info.html How to Use, Why it is good and so on ... |
Beta Was this translation helpful? Give feedback.
-
|
https://tycho.eclipseprojects.io/doc/master/tycho-gpg-plugin/sign-p2-artifacts-mojo.html |
Beta Was this translation helpful? Give feedback.
The fact that the archived repo is missing PGP signatures is actually an issue in Tycho. You may want to open an issue for it so this can be improved in Tycho directly. Thinking further about it, the pgp sign mojo could be built-in the default lifecycle for
eclipse-repository-hooked between assemble and archive- and be a no-op as long as the signing key is not set or empty (with a warningNo PGP signing key configured, skipped).In the meantime, yes, I think this workaround a good-ish way to do it ("whatever works").