A WebMaster’s view of Eclipse.org

Rants, praise and observations related to the technical and psychological challenges of running servers for a pretty busy site.

jarsigner, keytool and expletives

« Website usability testing at EclipseCon
Next: Eclipse disk space »

I’ll admit to being totally incompetent in this field, but maintaining a JAR signing infrastructure is hard work every three years or so.

After RTFM’ing it back in 2006 and exchanging more emails with Verisign support than I would have liked, I finally made it possible for Eclipse projects to sign code in April ‘06, using a 3-year certificate.

Fast-forward three years, and I’m at it again, trying to renew the certificate I purchased three years ago. After thoroughly documenting my process back in ‘06, I thought this time it would be easy.  I thought wrong.

“You live, you learn” they say. I look forward to a flawless renewal of my certificate in 2012.  Fun times :)

Posted February 3rd, 2009 by Denis Roy in category: Uncategorized
You can skip to the end and leave a response. Pinging is currently not allowed.

6 Responses to “jarsigner, keytool and expletives”


  1. Dave Carver Says:
    February 3rd, 2009 at 7:20 pm

    Any particular reason that you are not using OpenSSL and hosting your own CA? http://sial.org/howto/openssl/ca/

    You can then use your CA to sign your own certificates, and do not necessarily have to use the java keystore tool.


  2. Denis Roy Says:
    February 3rd, 2009 at 7:24 pm

    Unless I’m wrong, “a local CA is free, and ideal for services not offered to the public” doesn’t seem to fit what we’re doing here, kind of like having an ssl-enabled website with a self-signed cert. Having a trusted CA just seems to make everything more official and trustworthy, even if it’s only a perception.


  3. Dave Carver Says:
    February 3rd, 2009 at 10:52 pm

    True…what it means is that you have to allow distribution and people would have to accept the certificate. Regardless, if you do not like the java keystore tool, there are other ways to sign and the files.

    My two cents.


  4. Chris Says:
    February 4th, 2009 at 9:16 am

    You might not have to renew it. Half the internet thinks the world is supposed to end in 2012. YMMV


  5. Denis Roy Says:
    February 4th, 2009 at 12:00 pm

    @Chris: Hah, funny. If it doesn’t, I’ll hold you responsible.


  6. John Arthorne Says:
    February 5th, 2009 at 12:49 pm

    Sorry Denis, I’m partly responsible for your pain (both in 06 and 09), for not thoroughly reading up on things before offering suggestions. I remember thinking in 2006, “we’ll worry about expiry when it happens, 2009 is ages away”. I do think it’s quite a valuable service and we all appreciate the time you take to set it up.

    Also looking forward to 2012…

Leave a Reply

You must be logged in using your Eclipse Bugzilla account to post a comment.

Recent Posts

Archives

Categories

Meta