Closed Phillipus closed 2 years ago
This NPE is fixed in Eclipse 4.23 but you need to use a Tycho version that uses 4.23. As such, you will need to use Tycho 2.7.1 or 3.0.0-SNAPSHOT. See the following changes in EPP's build to make this all work properly:
Please read the comment of the commit. When you've built your product, check in the about dialog that the jetty plugins indicate they are PGP signed, rather than appearing unsigned...
you will need to use Tycho 2.7.1
That did the trick!
check in the about dialog that the jetty plugins indicate they are PGP signed, rather than appearing unsigned...
The "Eclipse Jetty Project" plug-ins all say "unsigned" - is that a problem?
Ed, thanks ever so much for responding so quickly. :-)
Phil
I'm not sure if I understand this correctly.
In order for the Jetty plug-ins to be PGP signed I need to add the following to the configuration of tycho-p2-repository-plugin
:
<includeAllDependencies>true</includeAllDependencies>
And the following to the configuration of tycho-p2-director-plugin
:
<source>repository</source>
I've done that but they still show as Unsigned.
The <source>repository</source>
for the tycho-p2-director-plugin
also important:
That's because the target platform's artifact metadata doesn't contain the pgp keys but the repository does.
The
<source>repository</source>
for the tycho-p2-director-plugin also important:
I've added that and still no dice.
There are many ways to do it wrong and get no complaints from Maven/Tycho. Using -X helps to see if it's configured properly. Is there somewhere I can have a look at what you've tried? Did you add it here:
Is there somewhere I can have a look at what you've tried?
Thanks for your help.
I created a new branch: https://github.com/archimatetool/archi/tree/pom-test
Parent pom: https://github.com/archimatetool/archi/blob/pom-test/pom.xml Product pom: https://github.com/archimatetool/archi/blob/pom-test/com.archimatetool.editor.product/pom.xml
I can see that when this is run a com.archimatetool.editor.product/target/repository
is created and inspecting the artifacts.xml
file inside of artifacts.xml
file the PGP sigs are there for Jetty. But the final products in com.archimatetool.editor.product/target/products/com.archimatetool.editor.product
show as unsigned when run and the plug-in information is shown.
I don't think there's a problem with the pom.xml
with the new additions.
The product generation generates an artifacts.xml
file alongside the Archi.exe
and Archi.ini
files. And I can see the PGP sigs for Jetty inside of that. However, for some reason this information is not being picked up in the installation details list of plug-ins:
The pom looks okay. The important property that's missing, apparently, is the pgp.publicKeys
property. It should be present in the repository's artifacts.xml and in the final artifacts.xml of the product.
Tycho added a test for this:
https://github.com/eclipse/tycho/pull/826
Did you try running with -X to check that the configuration is properly interpreted (though, as I said, it looks okay).
I'm running short on time today, but I assume I could reproduce your problem locally if I cloned and checked out that branch?
Oops, I didn't mean to close!
The pom looks okay. The important property that's missing, apparently, is the pgp.publicKeys property. It should be present in the repository's artifacts.xml and in the final artifacts.xml of the product.
Yes, those properties are there.
Did you try running with -X
Yes. I couldn't see anything unusual.
I'm running short on time today, but I assume I could reproduce your problem locally if I cloned and checked out that branch?
Yes, thanks for helping. You'll need to build with this:
mvn clean package -P product
And the products should appear in:
com.archimatetool.editor.product\target\products\com.archimatetool.editor.product
On Windows you can run the Archi.exe
file and then go to Help -> About Archi -> Installation Details to see the Plug-in details as in the screenshot above.
Oops, I didn't mean to close!
I do that all the time. The "Close with comment" button is too big. :-)
I do that all the time. The "Close with comment" button is too big. :-)
And guess what? I just did exactly that. D'oh!
I must run now, but when I check out and switch to your branch, it doesn't have the changes to use 2.7.1 and the 4.24 repository:
merks@CORE MINGW64 ~/archi/archi
$git status
On branch pom-test
Perhaps you missed a step?
I'll be back tomorrow.
Turns out I have 15 more minutes. I was using the command line so I'm a bit clueless. Switching to use EGit has helped. Building again...
You might want to edit Archi.ini
if you don't want it to write stuff to your home folder. And maybe remove the -cleanConfig
line to make it behave like a standard Eclipse app.
I see the right things in the product's artifacts.xml:
<artifact classifier='osgi.bundle' id='org.eclipse.jetty.security' version='10.0.9'>
<properties size='3'>
<property name='pgp.signatures' value='-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAABAgAGBQJiWKryAAoJEHAOTzm8BTZLXt8P/iyw9A272QMmi71I+DjmFPqe
+6TtHRVQYmDBDZtmyAyFweO6qx6+MjlR4hzSydaRWVPvmSsmKfNWGB5iJN5AAF5Q
6sfsRomWT64+3h7qfQrnJj0kqDvTkhhIP3u/A2qYeDZ/FhfSYbcNGRQuUVI1r68F
rw6IhIbTceB8DYWTTxbTLjyJkKNS45ssPWg7MazBxoR1rdd+AmSHw/4EE7zuGLYl
OY+UtJlKNO6GYxcaYC29v7uZIjn0WztKhqEDtxCzUsLnD22jdmcb3PkLbwz2wj8q
DX9OUsD2UpA4H2BPiOoCnsYYBv3WWkbM4911jx0Wi8Bkvn+B3KuIEJQTabFeZH/y
HZEdxrxFucAxT/cnI5jqDrcFovWes24EOIv8ksN1K/ldUy+5PI+0ab+nhsJ2BBUs
EQ6Jl7wTQwX7FSokuibReo7Uc2PNzYcGte2X2JBUZQRhXveRvQ981IuTgX5im2jS
BSKVv8lsgEOfpkCyy/MyJaTfFovrkVz9q7xq2qHuF9NcTnZbzXAOu0bQXCy13SlF
EawRUAGzdMH18vIO4txFwPppyBADIlr3AbTVXAOHkI4VG6ZJA4rtjWBCid3Qu8BL
RtuxVrqXrkEmc7XXoa0JxUuSeYcyzPyPdLzYYd84PkNtGiUFDcS7jJE9CiRUjcON
wZwXrGRYSmjzdRfehbh5
=87hT
-----END PGP SIGNATURE-----'/>
<property name='pgp.publicKeys' value='-----BEGIN PGP MESSAGE-----
Version: BCPG v1.70

uQINBFhaXPsBEAC3bR7f5euHbpIDDTuFYHPI0+S5X0DhuqcGBUL2HSFhWMwIlfsA
aO+pt7GyfXLUkTmzugwmwO+sOW2QmwEZQcK2z3BrcjytZophZ9AUajbAjnadSH6U
XCMmfExVVnaYSfl/+Uub42szQE/r3gCRIz6M6clVVAjpFv4G/mumfQUV/XzLoUEY
XTgwTokFJ97R+hDbHvBEBrUT8M6zHP5DhN3EBug3qb6wZVOa/+HEX3M+7k4jVT/p
pNumw0acg0DDoSNQ13VsRV6sV0XE4zr3Zfs84f8xCgXpEMs4U6DZGqs3iJVVtbRf
0oL0fgcxNgRrmbCrBfbXYfrS4u+fJ0vB+Wrflv9eNA3i6TtVL6uYpZy9uO2B1olK
VzfEhsgB3QrULB4jVHZjIXGe4ILn45ndMtAeY4M91wyobgG99Xl+1vPHrxV0+2zR
P66J3puyxiKE2B7gd7hib54CB3lYyrG1S+K1kZGCI1IFKCnqmTJXY0tKoLAASS3v
tDcknXenzR5RVSpWTDuxtusekfL0Bw8pCBoz9L4Hex8Q1j//D5CZlqcg1NKFfmBZ
7ta9PTuJcpOsz/LaPG/0VHYt/QAv5o4eeZESl7iZyM4/0NFh2s/rq0R8Z9yVSSkI
vvO8d8XGZ65NTm3T4NFuEihn+AEm+zg4KiGdYBEZvs8QQoW9e1+MMN8xnwARAQAB
iQREBBgBCAAPAhsCBQJhuzR9BQkSxtkCAinBXSAEGQEIAAYFAlhaXPsACgkQcA5P
ObwFNkunSw//SRR1tGS1pDj2jonLpR0wPilCphS6ANv895yvlg6rHG4nKi4hQ0Jz
ZxhGCwkgxEkRaKiyLfEiTihETkF161AqLPhyvE8LuQ1AG+A+tUnR8/T3gKE8t/m2
/UtScZwN1QEQVc/uG7MTrbZ2ngXfH65k3fzhjy95AnJHAswu2vic1hzDi77HlQpN
0O3adJuU/jfdu1RxNE0MRt8MFEjsTFwSBVm6lDxgcZV+qjRLGQznTyLF5/AyCI7Z
4z9xHZPKFq1eHzqevifNiqfb8KX22sHKOSdnVBzBq/UxbT5jIbNSRhD91FjtZD7Z
6wi3POsB/9RWZBldCov4ZEajmxFzxpx4RAqYOSIkEor9ZtRGbZuWvTie4vFIur7T
f543mE6nxKcggExNp4MTyOd1scMc9oyczH561OTdHOCYEyoCwpG9N2Hb1/MDnWSi
HKG451CvdrE5FHcPZKjp/nHUcRw/WQC3bgj6ScAay64EKC5S9tW+Wp85Oyyvj+M7
lBzOxp19nESpfC++fzBAQPMxtD8EvrZTxqFSJxMOH9bhzB8+MFt08tmYb5SwoYi4
C8JJ+wZgNetJKK+j07fvyMUChH/SbkCVszMiiSEjHA2Kk0LMVYKS/OLJU7i7tZXV
aJ078QEeTDy5hSzsutd+orlFkR9+mgr1HUh0UgYlofTfEi7bLDeSr0cJELbTq5vM
ZBKCicIP/irazYBVKw0SluhHtjzRcs5WIdH5bVPsEE87+iUc4daONWdVIhLdokxt
OWlrEmZFLKqq9Z8fzvlf5LAQMOBkMAkl0z2ej4KG7zrjWyqDgysEI2WBlqTAFSeL
+89Kc9BzJE9heYW8EfpXbNfOnKnAYWsbhcomSxVQ/jBIuyLBg/0gYKpBNx8HC6v9
xNH0Ja+wM/7w3JC1aIwMYJn1yF2ykUYS+BoTCU7TA8r43pHg4I4Fz+Y2P5RLk+RJ
I4kJezDNiJOpIcr/nKTPxMGUzMtWlGyAJ7LkyOZCtQXhtXwaT8grjtHzlwlGrpgD
Rtf7wWjzEWeaQSegTFM9Mid+09kCp0PkJvveg8wJCuoVboNOto0O5rQsUczjXxiW
kXYlHGeQL4rWc1zP7F1n4DEwDbVZC7jOn/80l3x4LcKuhc86gP4L5HKbdjn5GcQ0
3RVLl1WVTQCdpr0+am28hl9XpyHdlWwSEmqqoUnjGv5B8RClocBRS4ECPPZCVSBl
yK8eDgRww9Fu1EFq4xkq5fGj4YUOAIm756iW41NQ3VnPYbom/J27iFFN8+h92CSb
KAqhmRwQh+GGo0eGCXmPHyQ/KCHTvnTZCFBUvabm3rVNFaDO+RvmwPwNCRz0DYzG
paeMOGo4nMMGbzdhgfJ/X5Ed1/Mqz8egHhGIO94ebKEN5ZtJjAOK
=xtSl
-----END PGP MESSAGE-----
'/>
<property name='download.size' value='121474'/>
</properties>
</artifact>
So the build is good.
I suspect there is something not installed needed to show the PGP stuff because your about dialog is missing many tabs...
The changes to make this work in the about dialog were done in this bug:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=578166
The class org.eclipse.equinox.internal.p2.ui.KeySigningInfoFactory contributes an adapter that is used by the platform to show the PGP signing details. You don't have the org.eclipse.equinox.p2.ui plugin installed so that adapter isn't available.
I suspect there is something not installed needed to show the PGP stuff because your about dialog is missing many tabs...
Could be. But maybe this is a peculiarity of RCP apps, as XMind also shows only those two tabs:
Note that the reason this strangeness is that the normal jar signing is implemented by Equinox and these parts of the platform depend on Equinox for that explicitly But the PGP signing support comes from p2 and this part of the platform framework doesn't know about p2; that's why it was done using an adapter...
You don't have the org.eclipse.equinox.p2.ui plugin installed so that adapter isn't available.
I added org.eclipse.equinox.p2.ui
to my com.archimatetool.eclipse.feature
and re-built. but still no signing info. Maybe another plug-in is needed?
Add it to the branch and I'll check tomorrow.
Found it. It needs the org.eclipse.equinox.p2.ui.sdk
plug-in.
With this plug-in added to my com.archimatetool.eclipse.feature
the signing info for the Jetty plug-ins is shown. And two other tabs are also shown in the dialog, "Installed Software" and "Installation History":
Unfortunately, there is a side-effect. Because of the dependency on org.eclipse.equinox.security.ui
a new preference tab appears in Archi's preferences:
As Archi doesn't use any of the security features provided by this plug-in it doesn't ship it, and if users saw this Preference they might wonder what this is for.
So I think I'll just leave things as they are regarding the display of signing info in the dialog. I will keep the changes to the poms though.
Note that that a user doing an update from within password protected proxy would be prompted for a password.
Also note that it's possible to mostly hide the contributions from any plugin:
https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Fguide%2Fworkbench_advext_activities.htm https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Freference%2Fextension-points%2Forg_eclipse_ui_activities.html
Most concerning to me though is that this class is also in org.eclipse.equinox.p2.ui:
org.eclipse.equinox.internal.p2.ui.ValidationDialogServiceUI
Without that the user cannot be prompted to approve trust for certificates or PGP keys, so I'm not sure how updates will generally work without that...
I'll close because the NPE is fixed and everything can be made to work.
Ed, thanks a lot for your help on this one. As you say, the NPE is fixed and I now know how to show the signing info if needed by adding the extra plug-in.
Just to say that because Archi is an RCP app with a sub-set of Eclipse features most end users aren't even aware of, or care about, things like equinox, p2, proxies, or even Eclipse or Java for that matter. Archi doesn't expose p2 update sites to end users so no passwords, etc are needed.
I'll take a look at the links to Activities to hide contributions, thanks for that.
Our RCP application is built using the following pom:
https://github.com/archimatetool/archi/blob/master/pom.xml
I have substituted the p2 URL with the url for ECLipse 4.24 M1:
https://download.eclipse.org/eclipse/updates/4.24-I-builds/I20220414-1800/
Now, when I build using
mvn clean package -P product
the product build fails with: