What every developer should know about JARs and Eclipse products signing
Did you ever wonder why signing of JAR files is required to be part of the simultaneous release of Eclipse? Do you know what these signatures are for? Did you already cry while trying to combine pack200 and signing? Do you want to sign your proprietary Eclipse products and Jars? This talk will give you answers to all these questions.
It will first cover the basic principles of signing and their applications: authentication, integrity and non-repudiation. Then it will show you how, as an Eclipse project, you can leverage the Eclipse Foundation infrastructure to sign your bits (with and without Tycho). These demonstrations will also serve as the basis for explaining the reason why class files compression schemes like pack200 interfere with JAR signing. We will show you how to make it work and you will understand why. Finally, you will have a glimpse of how it works under the hood. We will show you how we implemented the system to be scalable and how you can reuse parts of our infrastructure for internal needs of your company.