search

eclipse-platform / eclipse.platform.releng.aggregator

Aggregated repository for Eclipse Java IDE
https://www.eclipse.org/eclipse/
Eclipse Public License 2.0
27 stars 67 forks source link

[Build] Build don't resign signed jars and skip signing in master build #2140

Closed HannesWell closed 1 month ago

HannesWell commented 1 month ago

Reduce the number of actual signing by not signing artifacts on master branch builds in this repository (the built artifacts are not published) and not re-signing artifacts in the I-build that are baseline replaced and therefore already signed.

Fixes https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/issues/2134

In order for DO_NOT_RESIGN to have an effect, signing should happen after a baseline-repacement done in tycho-p2:p2-metadata. Currently it is done before. Therefore this is a draft.

akurtakov commented 1 month ago

PGP is not related to jarsigning and not using the jarsigner plugin (where the actual throughput is limited) thus I don't see benefit in dropping it. Actually, keeping it will still allow us to have signed content (pgp) without extra burdern on the infrastructure (as you are removing -Peclipse-sign)

HannesWell commented 1 month ago

PGP is not related to jarsigning and not using the jarsigner plugin (where the actual throughput is limited) thus I don't see benefit in dropping it. Actually, keeping it will still allow us to have signed content (pgp) without extra burdern on the infrastructure (as you are removing -Peclipse-sign)

It's correct that PGP-signing is unrelated to jar-signing and not causing problems. But since both are activated with the same eclipse-sign profile it is currently not possible to activate only one of both without reworking these profiles in general. Since the modified Jenkins pipeline is only used to run the master and verification builds of this repository I don't see a benefit in keeping the signatures because the artifacts build there are not published anywhere AFAIK. If we keep the signing (pgp and jar) here and only use DO_NOT_RESIGN we more than double the number of signing compared to when not calling the profile. The reason is that each night when the nightly-build pushes the sub-module updates the master build runs and the signings that happen in the I-builds are repeated for that master build, plus the master builds due to manual changes that re-sign all other bundles changed in sub-modules since the last I-build.

HannesWell commented 1 month ago

I replayed the build to activate signing for the verification build in order to replicate the I-build situation and it looks like swapping the eclipse-jarsigner-plugin and tycho-p2-plugin:p2-metadata has the desired effect and unchanged bundles are baseline replaced and not resigned.

But even when not re-signing alrady signed artifacts I see at least 91 artifacts being singed (the build has not yet completed). Some of them are for example not in the baseline, like tests.

akurtakov commented 1 month ago

For the sake of minimizing the change (and probably https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/issues/2134#issuecomment-2165610288 ) please revert the reordering and push the disabling of signing altogether in the jenkinsfile to master.

HannesWell commented 1 month ago

For the sake of minimizing the change (and probably #2134 (comment) ) please revert the reordering and push the disabling of signing altogether in the jenkinsfile to master.

Reduced this PR now to just remove the signing of artifacts at the master/maintenance branch builds of this repository. Create a dedicated PR to further reduce the number of signing operations by not re-signing already signed artifacts: