Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 396445

Summary: [CBI] none of the generated source features are signed
Product: [Eclipse Project] Platform Reporter: Paul Webster <pwebster>
Component: RelengAssignee: David Williams <david_williams>
Status: VERIFIED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: daniel_megert, david_williams
Version: 4.3   
Target Milestone: 4.3 M7   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on: 400733    
Bug Blocks: 372792, 393922    
Attachments:
Description Flags
sign-sources.patch
none
eclipse-sign.patch alternate method none

Description Paul Webster CLA 2012-12-12 14:54:50 EST
When built with CBI and maven/tycho, our main features are signed (like org.eclipse.jdt) but the generated source features are not signed (like org.eclipse.jdt.source)

The source features are signed in our PDE build.

PW
Comment 1 Thanh Ha CLA 2012-12-13 13:48:39 EST
Created attachment 224680 [details]
sign-sources.patch

I believe the issue is due to ordering and inheritance of Maven plugins. In regards to jdt-feature, tycho-source-feature-plugin runs after eclipse-jarsigner-plugin. So this causes org.eclipse.jdt.feature jar to be signed, and then org.eclipse.jdt.sources.feature to be created unsigned since the jarsigner's already run it's signing task.

From what I understand Maven executes plugins in the same phase, in the order they are defined. So in the case of jdt-feature, eclipse-parent/pom.xml defined the jarsigner first, and then the jdt-feature pom inherits that, then define's the tycho-source-feature-plugin in it's own pom.xml. Since generating source feature is defined after the jarsigner plugin definition is inherited it will run after but in this case we actually want it to run before.

The attached patch redefines the eclipse-sign profile inside the jdt-feature pom after the tycho-source-feature-plugin is defined causing the execution order to be correct allowing the source feature to be signed.

I am not sure if this is the most optimal approach but it seems to work in this case. If there is a better solution please comment and let me know.
Comment 2 Thanh Ha CLA 2012-12-14 10:38:11 EST
Created attachment 224743 [details]
eclipse-sign.patch alternate method

Attached patch moves the sign phases to "verify" instead of redefining eclipse-sign profile in the feature poms.
Comment 4 Paul Webster CLA 2013-02-28 08:52:48 EST
It looks like there are still source bundles that aren't being signed:

http://dev.eclipse.org/mhonarc/lists/platform-releng-dev/msg21057.html

PW
Comment 5 Paul Webster CLA 2013-03-06 14:46:33 EST
I'm down to org.eclipse.help.base.source is not being signed when I update from one SDK to the next.

PW
Comment 6 David Williams CLA 2013-04-21 14:24:36 EDT
I believe everything is being signed now. (for I builds). 

Please open new bugs on specific cases that are found.
Comment 7 Dani Megert CLA 2013-04-22 04:47:32 EDT
(In reply to comment #6)
> I believe everything is being signed now. (for I builds). 

Hard to verify, given that bundle mentioned in comment 0 is not even part of the drop (see bug 400733).
Comment 8 David Williams CLA 2013-04-29 18:37:10 EDT
Dani you can verify on any source bundle that is produced/generated, which is what this bug was about. 

Whether or not branding bundles get produced (and signed) should be all be part of bug 400733. There's nothing constructive about leaving this open, just because bug 400733 is not settled, or solved.
Comment 9 David Williams CLA 2013-04-29 22:59:56 EDT
*** Bug 398028 has been marked as a duplicate of this bug. ***
Comment 10 Dani Megert CLA 2013-04-30 04:09:23 EDT
Verified in I20130430-0031.