Re: [cbi-dev] Signing service maven plugin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cbi-dev] Signing service maven plugin

From: Mikael Barbero <mikael@xxxxxxxxxxx>
Date: Mon, 1 Feb 2016 13:52:55 +0100
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cbi-dev>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

Hi Christian,

Thank you for the kind words.

Yes, it is possible to setup such a service on your own infrastructure. There is no documentation per se about the server API, but you can guess it easily from the simple single signing servlet which is used.

The signing service has a single POST operation (the name of this operation is configurable in the properties file, more on that later). It has several parameters:

file - in formData - required - The jar file to be signed
digestalg - in query - optional - The digest algoritm to be used to sign the jar. See -digestalg option at Oracle documentation for more information. The valid values are (if the configured jarsigner is from Java 8 - advised):

DEFAULT, tells to the remote signing webservice to use its default digest algorithm to sign the jar
MD2
MD5
SHA_1
SHA1 Use this value if you need to be compatible with some old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use SHA_1 otherwise.
SHA_224
SHA_256
SHA_384
SHA_512

sigalg - in query - optional - The signature algoritm to be used to sign the jar. See -sigalg option at Oracle documentation for more information. The valid values are (if the configured jarsigner is from Java 8 - advised):

DEFAULT, tells to the remote signing webservice to use its default digest algorithm to sign the jar
NONEwithRSA
MD2withRSA
MD5withRSA
SHA1withRSA
SHA224withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA1withDSA
SHA224withDSA
SHA256withDSA
NONEwithECDSA
SHA1withECDSA
SHA224withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA

You can install the server on a machine by downloading the latest snapshot build of the single jar webservice (it embeds Jetty). I plan to do a release shortly after all the dependencies have been IP approved.

You can start the server with a simple "java -jar jar-signing-service-VERSION.jar" (Java 8 required). It will look for a configuration file named "jar-signing-service.properties" in the current working directory. You can specify the path and filename of this configuration file with the "-c" option switch: "java -jar jar-signing-service-VERSION.jar -c /path/to/my.config.properties"

You will find a sample configuration file (with description about what are the options for) in the git repo. You need to configure some information about the JKS and the certificate to be used for signing. I suppose you're familiar with that part.

If you use the eclipse-jarsigner-plugin, you will need to specify the signerUrl parameter to your own service.

If you want to try the webservice without creating a certificate and caring about the configuration file, there is a test server in the jar signing service test jar that I use for headless integration testing. Just download this additional jar and run the following command:

On Unix or similar

java -cp /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar TestServer

On Windows

java -cp C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar TestServer

It will print an URL (like http://localhost:3138/jarsigner) that you can add to your maven build (-Dcbi.jarsigner.signerUrl=http://localhost:3138/jarsigner) and it will sign your jars locally with a dummy certificate. You can pass --help to see the options you can give to the TestServer. This test server has the same REST api as the production one.

I hope it will help you with using this project. If you have more questions, please feel free to ask. If you see something that you miss from the current implementation, we are welcoming contributions ;)

Cheers,

Mikael

Le 29 janv. 2016 à 20:02, Christian Pontesegger <christian.pontesegger@xxxxxx> a écrit :

Hi,

I like the way eclipse is signing its plugins using the eclipse-jarsigner-plugin. I wonder if it is possible to setup such a service in our company, too.
Is there documentation available how the server API works? Is it a REST API, or how does the backend work?

Further it would be interesting to get the source code to eventually add some additional functionality like authenticating to the signing server first.

thanks
Christian

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Follow-Ups:
- Re: [cbi-dev] Signing service maven plugin
  - From: Mikael Barbero

References:
- [cbi-dev] Signing service maven plugin
  - From: Christian Pontesegger

Prev by Date: [cbi-dev] Signing service maven plugin
Next by Date: Re: [cbi-dev] Signing service maven plugin
Previous by thread: [cbi-dev] Signing service maven plugin
Next by thread: Re: [cbi-dev] Signing service maven plugin
Index(es):
- Date
- Thread

Breadcrumbs