[Build] Build don't resign signed jars and skip signing in master build

Reduce the number of actual signing by not signing artifacts on master branch builds in this repository (the built artifacts are not published) and not re-signing artifacts in the I-build that are baseline replaced and therefore already signed. Fixes eclipse-platform#2134
HannesWell · Jun 18, 2024 · 8eec9d1 · 8eec9d1
1 parent 2c74cc6
commit 8eec9d1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 35 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -13,14 +13,6 @@ pipeline {
 		jdk 'temurin-jdk21-latest'
 	}
 	stages {
-		stage('initialize PGP') {
-			steps {
-				withCredentials([file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')]) {
-					sh 'gpg --batch --import "${KEYRING}"'
-					sh 'for fpr in $(gpg --list-keys --with-colons  | awk -F: \'/fpr:/ {print $10}\' | sort -u); do echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; done'
-				}
-			}
-		}
 		stage('Use master') {
 			steps {
 				sh 'git submodule foreach "git fetch origin master; git checkout FETCH_HEAD"'
@@ -42,28 +34,17 @@ pipeline {
 		stage('Build') {
 		    when { not { branch pattern: "prepare_R.*", comparator: "REGEXP" } }
 			steps {
-				withCredentials([string(credentialsId: 'gpg-passphrase', variable: 'KEYRING_PASSPHRASE')]) {
-					sh '''
-					if [[ ${BRANCH_NAME} == master ]] || [[ ${BRANCH_NAME} =~ ^R[0-9]_[0-9]+_maintenance ]]; then
-						MVN_ARGS="-Peclipse-sign"
-					else
-						MVN_ARGS=
-						export KEYRING="deadbeef"
-						export KEYRING_PASSPHRASE="none"
-					fi
+				sh '''
 					mvn clean install -pl :eclipse-sdk-prereqs,:org.eclipse.jdt.core.compiler.batch -DlocalEcjVersion=99.99 -Dmaven.repo.local=$WORKSPACE/.m2/repository -U
 					mvn clean verify -e -Dmaven.repo.local=$WORKSPACE/.m2/repository \
 						-Pbree-libs \
-						${MVN_ARGS} \
 						-DskipTests=true \
 						-Dcompare-version-with-baselines.skip=false \
 						-DapiBaselineTargetDirectory=${WORKSPACE} \
 						-Dgpg.passphrase="${KEYRING_PASSPHRASE}" \
 						-Dcbi-ecj-version=99.99 \
 						-U
-					'''
-				}
-
+				'''
 			}
 			post {
 				always {

diff --git a/eclipse-platform-parent/pom.xml b/eclipse-platform-parent/pom.xml
@@ -823,6 +823,20 @@
       <id>eclipse-sign</id>
       <build>
         <plugins>
+          <plugin>
+            <groupId>org.eclipse.tycho</groupId>
+            <artifactId>tycho-p2-plugin</artifactId>
+            <version>${tycho.version}</version>
+            <executions>
+              <execution>
+                <id>p2-metadata</id>
+                <goals>
+                  <goal>p2-metadata</goal>
+                </goals>
+                <phase>verify</phase>
+              </execution>
+            </executions>
+          </plugin>
           <plugin>
             <groupId>org.eclipse.cbi.maven.plugins</groupId>
             <artifactId>eclipse-jarsigner-plugin</artifactId>
@@ -834,6 +848,9 @@
                   <goal>sign</goal>
                 </goals>
                 <phase>verify</phase>
+                <configuration>
+                  <resigningStrategy>DO_NOT_RESIGN</resigningStrategy>
+                </configuration>
               </execution>
             </executions>
             <configuration>
@@ -846,20 +863,6 @@
               <timeoutMillis>120000</timeoutMillis>
             </configuration>
           </plugin>
-          <plugin>
-            <groupId>org.eclipse.tycho</groupId>
-            <artifactId>tycho-p2-plugin</artifactId>
-            <version>${tycho.version}</version>
-            <executions>
-              <execution>
-                <id>p2-metadata</id>
-                <goals>
-                  <goal>p2-metadata</goal>
-                </goals>
-                <phase>verify</phase>
-              </execution>
-            </executions>
-          </plugin>
         </plugins>
       </build>
     </profile>