I'm using maven & tyhco to compile & build my eclipse plugins and create a p2 repository.
However, when I install my plugins, eclipse shows a warning for the untrusted content. I know that to solve this issue, I must sign the plugins I distribute.
However, I don't know if there is a way to sign the plugins I'm building with tycho...
(I'm not an expert on maven & jar signing, hence forgive me for the dumb question!)
You can see a working example in The Mylyn-Mantis connector pom.xml . I have a special profile for signing:
<profile>
<id>sign</id>
<activation>
<property>
<name>jarsigner.alias</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.2</version>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
Typically I invoke the sign command as mvn clean package -Djarsigner.alias=... -Djarsigner.storepass=... -Djarsigner.keypass=.... .
You also need to have a code signing certificate, whcih you will import using keytool -trustcacerts -importcert -file $CERTIFICATE -alias $ALIAS -keystore keystore.jks.
I have exactly the same needs : sign p2 bundle in an eclipse build process. You can use the eclipse way: https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/sign-mojo.html
Wich is used by eclipse it self to sign their bundles : https://github.com/eclipse/eclipse.platform.releng.aggregator/blob/master/eclipse-platform-parent/pom.xml