releng.wtpbuilder/scripts/build/signingReference.txt - webtools/webtools.releng - Gitiles


 Following is standard "form letter" sent to those given signing privileges.
 Has some good description of basic mechanics of the process.

 See also http://wiki.eclipse.org/JAR_Signing


 See also
 http://dev.eclipse.org/viewcvs/index.cgi/org.eclipse.phoenix/infra-scripts/jar_signing/?root=Technology_Project

 and Denis's description that "Essentially, sign puts it in the
 queue, sign_queue_process.sh processes the queue, which calls
 jarprocessor.jar, which then calls sign.sh, which
 calls jarsigner."

 In particular, there I find the actual call to the jar processor is

 java /home/admin/jarprocessor.jar -outputDir $DIR -repack -verbose -processAll -sign /home/admin/sign.sh $FILE

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

 Remember, to watch signer, use
 tail -F /tmp/jarsigner

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

 Hello,

 You have been granted a privilege to sign JAR and ZIP files for your
 project.  The signing process will allow you to sign individual JAR
 files, or to sign all the JAR files recursively in a ZIP file. All the
 signing operations are performed using an SSH shell on the
 build.eclipse.org server.

 ** PLEASE NOTE: this privilege enables you to sign code on behalf of the
 Eclipse Foundation, using the Eclipse Foundation's code signing
 certificate. Please ensure that the code you will sign is sanctioned by
 your project lead, your PMC Lead or the EMO.

 Here's how it works:

 1. Using your favourite SSH application (such as Putty), log in to
 build.eclipse.org using your CVS committer credentials.

 2. Move or copy the files to be signed to the Downloads Staging area.
 You cannot sign files anywhere else. The Staging Area is at

 /opt/public/download-staging.priv/

 , and it is structured like the
 downloads area.  If you don't have a staging directory, or if you cannot
 access it, please contact webmaster.

 3. Use the 'sign' command, as such:
 sign <file> <mail|nomail> [outputDir]
 where file is the name of the ZIP or JAR file you want signed.  Because
 signing is computationally intensive work, wildcards are not supported.
 mail|nomail will allow you to receive an e-mail notice that signing is
 completed.
 outputDir is optional: if specified, signed files will be placed in this
 directory.  If omitted, the original file will be overwritten with the
 signed one.

 4. When signing is complete, you can verify the signed JAR file with the
 following command (to verify ZIP files, unzip them first, then verify
 the JARs inside):
 jarsigner -verify <file>

 5. Move the signed files back to the downloads area, and delete any
 other files in the Staging Area.
 Please note: Files older than 14 days will be deleted from the staging
 area automatically.

	Following is standard "form letter" sent to those given signing privileges.
	Has some good description of basic mechanics of the process.

	See also http://wiki.eclipse.org/JAR_Signing


	See also
	http://dev.eclipse.org/viewcvs/index.cgi/org.eclipse.phoenix/infra-scripts/jar_signing/?root=Technology_Project

	and Denis's description that "Essentially, sign puts it in the
	queue, sign_queue_process.sh processes the queue, which calls
	jarprocessor.jar, which then calls sign.sh, which
	calls jarsigner."

	In particular, there I find the actual call to the jar processor is

	java /home/admin/jarprocessor.jar -outputDir $DIR -repack -verbose -processAll -sign /home/admin/sign.sh $FILE

	= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

	Remember, to watch signer, use
	tail -F /tmp/jarsigner

	= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

	Hello,

	You have been granted a privilege to sign JAR and ZIP files for your
	project. The signing process will allow you to sign individual JAR
	files, or to sign all the JAR files recursively in a ZIP file. All the
	signing operations are performed using an SSH shell on the
	build.eclipse.org server.

	** PLEASE NOTE: this privilege enables you to sign code on behalf of the
	Eclipse Foundation, using the Eclipse Foundation's code signing
	certificate. Please ensure that the code you will sign is sanctioned by
	your project lead, your PMC Lead or the EMO.

	Here's how it works:

	1. Using your favourite SSH application (such as Putty), log in to
	build.eclipse.org using your CVS committer credentials.

	2. Move or copy the files to be signed to the Downloads Staging area.
	You cannot sign files anywhere else. The Staging Area is at

	/opt/public/download-staging.priv/

	, and it is structured like the
	downloads area. If you don't have a staging directory, or if you cannot
	access it, please contact webmaster.

	3. Use the 'sign' command, as such:
	sign <file> <mail\|nomail> [outputDir]
	where file is the name of the ZIP or JAR file you want signed. Because
	signing is computationally intensive work, wildcards are not supported.
	mail\|nomail will allow you to receive an e-mail notice that signing is
	completed.
	outputDir is optional: if specified, signed files will be placed in this
	directory. If omitted, the original file will be overwritten with the
	signed one.

	4. When signing is complete, you can verify the signed JAR file with the
	following command (to verify ZIP files, unzip them first, then verify
	the JARs inside):
	jarsigner -verify <file>

	5. Move the signed files back to the downloads area, and delete any
	other files in the Staging Area.
	Please note: Files older than 14 days will be deleted from the staging
	area automatically.