How (best) to sign the Windows executable in the update site?

[buchen]

I want to sign the Windows executable that is contained in the update site.

This is how (I think) I can make it work:

• build the update site with tycho-p2-repository-plugin
• for each win32 archive in the binary folder
  • unjar
  • remove the existing signature (using osslsigncode on macOS)
  • sign the executable (using jsign on macOS)
  • jar
• run tycho-p2-repository-plugin:fix-artifacts-metadata

I wonder if there is a simpler way - some time after the executable has been built but before the update site is created.

[laeubi]

We recently added documentation here about possible ways. It is not very convenient but we maybe will improve on that later:

https://tycho.eclipseprojects.io/doc/main/SignProducts.html