blob: e9d33c9861b6aac9d2637d13298c475f0e8a96fb [file]
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<document>
<properties>
<title>Signing Eclipse Plugins - release process</title>
<author email="dev@uima.apache.org">
Apache UIMA Documentation Team</author>
</properties>
<body>
<section name="Overview">
<p>All released Apache artifacts are normally signed. Eclipse jar signing is in addition
to the Apache release signing. This additional signing (with a recognized authority certificate)
allows the Eclipse installer to avoid saying it is installing unsigned artifacts and needs permission to continue.
</p>
<p>
It also enables automatic notification and subsequent update (if the user chooses) of upgrades. Because of this,
insure your feature id's are different for versions which should not automatically update.
</p>
<p>Both the feature jars and the plugin jars need to be signed. But not the pack.gz things or the artifacts / contents jars.</p>
<subsection name="Process Flow">
<p>We use a 2 step process, to reduce costs to Apache for signing release candidates which subsequently fail.
After the release vote passes, feature and plugin Jar files (but not the pack.gz files) are manually uploaded and signed,
and then a subsequent maven task is run to rebuild just the site packaging artifacts using the signed Jars.</p>
<p>The first step is to do a normal build of the update site, using mvn release:prepare.
This produces the artifacts for voting on, without jar-signing the
new Jars, and writes the "tag" for this into SVN for record keeping.</p>
<p>After the vote passes
the release manager, using their special credentials, logs onto the signing portal. This process
requires a one-time code, which the portal will send to you.</p>
<p style="margin-left: 40px">(Note: I had to refresh my web browser in order to
get the screen showing that option).
</p>
<p>Once signed, in, make a signing set
consisting of all of the Jars in target/eus-work/plugins and feature jars (feature jars must also be signed)
(not the *.pack.gz files, nor the ..content nor ..artifact metadata Jars).
</p>
<p>For convenience, and to rename any name-collisions between jars in the features/ and plugins/ directories,
make a new folder (signingSet), and copy all the files from target/saved into that, renaming any
collisions.
</p>
<p>On the signing web application make a new signing set and upload these files to that set.
Then sign them (either use Test signing or Production signing). Test signing is only if you're new to
the whole process and want to test things work. Then download the result, and copy them into the
target/eus-work/features and /plugins directories, overlaying the unsigned ones.</p>
<p>Then rebuild the update site by running <code>mvn antrun:run@make-subsite-after-signing</code>.
This does the remaining steps,
including packing (regenerating the .pack.gz files in the /plugins) and adding the various
signatures and checksums to these. These are then re-published, merging with any previous contents of the update site.
</p>
<p>Messages about "Artifact repository out of sync. Overwriting xxxx" are to be expected.</p>
<p>Please try installing the result to confirm nothing went wrong in this re-build process.</p>
<p>If you used a test signing, instead of a production signing,
if all is well, repeat the above process starting with selection "production" signing for the jars, downloading
those jars, replacing them into the eus-work directory, and re-running the mvn antrun:run@make-subsite-after-signing.</p>
</subsection>
<subsection name="Changes to Normal Build">
<p>To support signing, the normal build needs some small changes.
<ol>
<li>(actually a bug fix) The existing build after running the JarProcessor, copies the original (unprocessed) Jars
into the eus-work/plugins - accidentally overwriting the repacked/conditioned Jars. This step must be deleted;
in order to have the processed/conditioned Jars available for signing.
</li>
<li>When doing the subsite build, any previous versions are combined with the new version. This is done by
downloading the previous versions into a new instance of the subsite. Because this packaging step needs
to be redone, the original contents.jar and artifacts.jar files need to be saved so they can be restored
before the rebuild with signed artifacts.</li>
</ol>
</p>
<p>Additionally, to aid in reproducing things, the pre-signed, conditioned JARs are saved; in case of need, they can
be restored without rebuilding them again. This step might be removed in the future - it is not essential.</p>
</subsection>
</section>
<section name="Release Manager needs to have a valid code signing certificate">
<p>
For the UIMA project, contact the PMC chair for aid in obtaining a code signing certificate if you need one.</p>
</section>
<section name="Release only if 1 or more changed Eclipse plugins">
<p>If the release does not have any updates to Eclipse Plugin JARs, save Apache money by reusing previously released versions.
If the release has 1 or more JARs, these will be signed in 1 signing event. so it doesn't matter how many Jars there are.</p>
</section>
<section name="Links to Apache resources for codesigning">
<p>See <a target="_blank" rel="noopener" href="https://reference.apache.org/pmc/codesigning">
https://reference.apache.org/pmc/codesigning</a> for general information.
</p>
<p>See <a target="_blank" rel="noopener" href="https://wiki.eclipse.org/JAR_Signing#What_gets_signed">
https://wiki.eclipse.org/JAR_Signing#What_gets_signed</a> for background on signing Eclipse Plugins.</p>
</section>
</body>
</document>