Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] Question about signing and keystore management

Hi Andreas,

thank you for your answer!

> Hi Aleksandar,
>> I was wondering, do you sign your plugins and how do you manage your
>> keystores containing the certificates?
> well, on the Open Source side of things we use the Eclipse Foundations
> signing service through the eclipse-jarsigner-plugin. If you don't mind
> the admin work, you can also set up your own signing webservice and use
> the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
> not need to distribute your keystore at all but can keep it on the
> webservice's server. (Disclaimer: I have not tried this.)
That's a very good idea. I took a look at the source code and it seems 
to be generic. So it should work.
>> My idea is to store the keystore in nexus and download it with maven,
>> when I need to sign the project. In the pom file I need to encrypt the
>> keystore and keypass pass. I will use the maven password encryption
>> mechanism. The whole thing must work for multiple developers and jenkins
>> server. So we have manually to distribute the settings-security.xml
>> Is it a good idea to store the keystore on a local nexus server? Do you
>> use maven password encryption? Did you managed to integrate the master
>> password credentials in jenkins?
>> If that's not a good idea, how do you do it?
> On the Closed Source side of things, I have put the keystore simply into
> Git, the secret not being the encrypted keystore but the password to it.
> The encrypted password itself is also in the checked-in POM, but the
> password to that is *not*, but kept in the settings-security.xml. Yes,
> you have to distribute that file manually, but everything else is
> encrypted and in Git.
> Downloading from Nexus rather than checking the keystore into Git sounds
> nice as well, but I don't think that the maven-jarsigner-plugin can
> access a keystore in own of its plugin dependencies. Thus, you cannot
> let Maven magically download the keystore for you but have to resort to
> the maven-dependency-plugin or similar to fetch it. It thought this to
> be a bit too cumbersome and went down the checking-into-Git route instead.
We already have over 20 repositories and every 2 years we need to 
replace the keystores, which is alot of work. So downloading the 
keystore would save me that work.
> Hope this helps.
> Andreas
> [1] <>
> [2] <>

Best regards,
Aleksandar Toshovski

Back to the top