Sign created artifacts, document updated processes #448
Conversation
| <id>sign-jars</id> | ||
| <activation> | ||
| <file> | ||
| <exists>${env.SIGN_KEYSTORE}</exists> |
There was a problem hiding this comment.
So, jars are signed only if SIGN_KEYSTORE is an environment variable.
And for CI, this means using github secrets.
Correct?
There was a problem hiding this comment.
If we do CI for releases yes, we will need a certificate and its password in github secrets. I'm personally not prepared to do that with the official plugins.gwtproject.org cert (I make mistakes with code/build wiring, and several CI providers have had breaches), but perhaps we could make a self-signed cert instead for that purpose, just for nightlies?
If you like that idea, I'll add it to this PR after setting up a cert and putting it in the org.
There was a problem hiding this comment.
Personally, I think that a self signed is good enough.
|
Confirmed that PRs won't sign (without branch name check) https://github.com/gwt-plugins/gwt-eclipse-plugin/actions/runs/4214214640/jobs/7314529326 Confirmed that branches (without branch name check) will sign https://github.com/gwt-plugins/gwt-eclipse-plugin/actions/runs/4214248488/jobs/7314591205 Confirmed PR check works with branch name check https://github.com/gwt-plugins/gwt-eclipse-plugin/actions/runs/4214214640/jobs/7314529326 Confirmed that non-matching branches work with branch name check https://github.com/gwt-plugins/gwt-eclipse-plugin/actions/runs/4214331119/jobs/7314726087 Going to verify artifacts tomorrow, then this should be ready to land, subject to reviewer approval. |
|
Looks like this is working, please try downloading the repo zip at https://github.com/gwt-plugins/gwt-eclipse-plugin/actions/runs/4217845131 to take a look at how eclipse handles the self-signed cert I have configured for this project. Presently intending to only use that for non-release builds, but we could also use them for releases too. For releases, I had intended to use the same cert that is used for hosting plugins.gwtproject.org, until we have enough demand to buy a CA-signed code signing cert. |
|
I tried, it's working!
|
|
|
||
| ## Repository | ||
| Download the repo in a zip file. | ||
| The Eclipse repositories for this plugin. |
There was a problem hiding this comment.
Very good you updated documentation
| these are signed with a self-signed certificate. | ||
|
|
||
| ## Development | ||
| * Nightly update site: https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/nightly |
There was a problem hiding this comment.
Any plan for uploading nightly artifacts as part of the build?
There was a problem hiding this comment.
Now that I think we've got the build right, nightly artifacts are next, I'll be trying to implement a webhook for this.
2 participants
Deployed manually for testing at
https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/nightly/- note that in the future this repo will likely not be signed, and only releases will be signed in this way.The signing cert here is the same cert as is used by plugins.gwtproject.org itself - we can probably improve the experience here somewhat, but it does seem to be a step up from no signing at all.
Fixes #446