PGP sign content

jonahgraham · jonahgraham · commit babb2b6334ba · 2026-01-24T14:15:40.000-05:00
As we consume directly from Maven Central for third-party dependencies
we need to resign content with PGP to allow installation without
signing errors.

Note that this only works for recent-ish versions of Eclipse. Installing
in older versions will cause unsigned content warnings.

Users are recommended to use latest/recent Eclipse versions to be fully
supported and ISVs are responsible to to maintain and update as needed.
diff --git a/parent/pom.xml b/parent/pom.xml
@@ -262,6 +262,23 @@
 							</execution>
 						</executions>
 					</plugin>
+					<plugin>
+						<groupId>org.eclipse.tycho</groupId>
+						<artifactId>tycho-gpg-plugin</artifactId>
+						<version>${tycho.version}</version>
+						<executions>
+							<execution>
+								<id>pgpsigner</id>
+								<goals>
+									<goal>sign-p2-artifacts</goal>
+								</goals>
+								<configuration>
+									<keyname>F5CBCFD82F07D82E</keyname>
+									<skipIfJarsigned>false</skipIfJarsigned>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
 				</plugins>
 			</build>
 		</profile>
diff --git a/scripts/jenkins/builds.Jenkinsfile b/scripts/jenkins/builds.Jenkinsfile
@@ -15,17 +15,27 @@ pipeline {
     }
 
     stages {
+        stage('initialize PGP') {
+            steps {
+                withCredentials([file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')]) {
+                    sh 'gpg --batch --import "${KEYRING}"'
+                    sh 'for fpr in $(gpg --list-keys --with-colons  | awk -F: \'/fpr:/ {print $10}\' | sort -u); do echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; done'
+                }
+            }
+        }
         stage('Build') {
             steps {
-
-                sh "mvn \
-                        --batch-mode \
-                        --show-version \
-                        clean verify \
-                        -P production \
-                        -Dmaven.repo.local=/home/jenkins/.m2/repository \
-                        --settings /home/jenkins/.m2/settings.xml \
-                "
+                withCredentials([string(credentialsId: 'gpg-passphrase', variable: 'KEYRING_PASSPHRASE')]) {
+                    sh "mvn \
+                            --batch-mode \
+                            --show-version \
+                            clean verify \
+                            -Dgpg.passphrase="${KEYRING_PASSPHRASE}"  \
+                            -P production \
+                            -Dmaven.repo.local=/home/jenkins/.m2/repository \
+                            --settings /home/jenkins/.m2/settings.xml \
+                    "
+                }
             }
         }
         stage('Upload') {
