Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Build] Don't resign already signed jars #2143

Merged
merged 1 commit into from
Jun 20, 2024
Merged

[Build] Don't resign already signed jars #2143

merged 1 commit into from
Jun 20, 2024

Conversation

HannesWell
Copy link
Member

@HannesWell HannesWell commented Jun 19, 2024
edited
Loading

Reduce the number of actual signing operations by not re-signing artifacts (in the I-build) are already signed, usually because they have been 'baseline-replaced'.

In order to ensure that signatures of baseline-replaced artifacts can be considered, the p2-baseline-replacement is moved before the eclipse-jarsigner-plugin.

Furthermore set 'defaultP2Metadata' to false to skip the default baseline replace.

Fixes #2134

This is a follow-up on #2140.

This was referenced Jun 19, 2024
Merged
Closed
@HannesWell HannesWell marked this pull request as ready for review June 19, 2024 19:02
@HannesWell
Copy link
Member Author

In order to ensure that signatures of baseline-replaced artifacts can be considered, the p2-baseline-replacement is moved before the eclipse-jarsigner-plugin.

Furthermore set 'defaultP2Metadata' to false to skip the default baseline replace.

I have analyzed and thought through this again and concluded that all we should change is to set resigningStrategy=DO_NOT_RESIGN. The subsequent invocation of the p2-metadata goal is necessary in order to update the metadata like size if the jar was altered through the signing process. Because we have the p2-metadata-default activated the baseline replacement that restores previous signings already happens (the first time) earlier.

Because in multiple sub-modules the source feature generation, which requires yet another p2-metadata invocation (usually named attach-p2-metadata) is, is not guarded in a profile only activated for features, there are in total three p2-metadata invocations for many eclipse-plugin-projects.
But that's another issue and ideally we would replace source-features by pure metadata, but that's again another issue.

To make a long story short I think this should be fine now as it is.
@akurtakov do you agree?

@akurtakov
Copy link
Member

Yes, no resigning if signed should be fine.

@HannesWell
[Build] Don't resign already signed jars
17d623b 
Reduce the number of actual signing operations by not re-signing
artifacts (in the I-build) are already signed, usually because they have
been 'baseline-replaced'.

The baseline replacement is performed first the 'p2-metadata-default'
goal executed by default and before the jar-signing.
The subsequent explicit invocation of the p2-metadata (non-default) goal
is again necessary to update the p2 metadata (like artifact size) after
the jar has been altered by the signing operation.

Fixes eclipse-platform#2134
@HannesWell
Copy link
Member Author

Build failure is unrelated and should hopefully be fixed with eclipse-equinox/p2#528.

@HannesWell HannesWell merged commit 213e6ff into eclipse-platform:master Jun 20, 2024
3 of 4 checks passed
@HannesWell HannesWell deleted the avoid-resigning branch June 20, 2024 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akurtakov akurtakov akurtakov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disable resigning of already signed jars
2 participants
@HannesWell @akurtakov