Ensure plugins that are not JAR-signed are GPG-signed
We now take plugins directly from Maven Central (see !560 (merged)), but these are not (always) properly signed. If they are not JAR-signed, we should PGP-sign them.
Background information:
- https://gitlab.eclipse.org/eclipse-wg/ide-wg/eclipseide.org/-/issues/11
- eclipse-wg/ide-wg/community#11 (closed)
We need to update our Maven configuration:
- https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY/edit#heading=h.tir6oo3i3el8
- https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html
- https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/master/eclipse.platform.releng.tychoeclipsebuilder/pom.xml#L38
- https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/d9654e3b3197b4df7516f55a0b5aa84e862ffb58/eclipse.platform.releng.tychoeclipsebuilder/pom.xml#L38
We need to request a GPG key for Jenkins:
- https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY/edit#heading=h.tir6oo3i3el8
- Requested, see eclipsefdn/helpdesk#3020 (closed)
We need to configure our Jenkinsfile
to make the GPG key available:
- https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY/edit#heading=h.tir6oo3i3el8
- https://www.eclipse.org/lists/cross-project-issues-dev/msg19279.html
- https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/9a5fea992feb64ad3ad298ac2e97259c08baa89b/Jenkinsfile#L17
- https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/9a5fea992feb64ad3ad298ac2e97259c08baa89b/Jenkinsfile#L30
- https://github.com/eclipse/tm4e/pull/379/commits/aba1fb103a341507d2dbbec81c16008216d5664a
- https://wiki.eclipse.org/Jenkins#How_can_artifacts_be_deployed_to_OSSRH_.2F_Maven_Central.3F
Furthermore:
- We need to make sure that any dependency that we don't obtain from an external update site, is hosted on our update site (like we do for JavaBDD). This ensures that e.g. CIF can be installed into an existing Eclipse IDE.
- For all direct-from-Maven dependencies that we put on our own update site (as third party dependencies), we need to consider adding a feature with proper license information, like we do now for JavaBDD.
- There is no need to put JavaBDD in our repo, as JavaBDD 5.0.0 is on Maven Central with proper OSGi metadata.
Edited by Dennis Hendriks