[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] Question about signing and keystore management
|
Hi Aleksandar,
> I was wondering, do you sign your plugins and how do you manage your
> keystores containing the certificates?
well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)
> My idea is to store the keystore in nexus and download it with maven,
> when I need to sign the project. In the pom file I need to encrypt the
> keystore and keypass pass. I will use the maven password encryption
> mechanism. The whole thing must work for multiple developers and jenkins
> server. So we have manually to distribute the settings-security.xml
>
> Is it a good idea to store the keystore on a local nexus server? Do you
> use maven password encryption? Did you managed to integrate the master
> password credentials in jenkins?
>
> If that's not a good idea, how do you do it?
On the Closed Source side of things, I have put the keystore simply into
Git, the secret not being the encrypted keystore but the password to it.
The encrypted password itself is also in the checked-in POM, but the
password to that is *not*, but kept in the settings-security.xml. Yes,
you have to distribute that file manually, but everything else is
encrypted and in Git.
Downloading from Nexus rather than checking the keystore into Git sounds
nice as well, but I don't think that the maven-jarsigner-plugin can
access a keystore in own of its plugin dependencies. Thus, you cannot
let Maven magically download the keystore for you but have to resort to
the maven-dependency-plugin or similar to fetch it. It thought this to
be a bit too cumbersome and went down the checking-into-Git route instead.
Hope this helps.
Andreas
[1] <http://www.codetrails.com/comment/13#comment-13>
[2] <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/>
--
Codetrails GmbH
The knowledge transfer company
Robert-Bosch-Str. 7, 64293 Darmstadt
Phone: +49-6151-276-7092
Mobile: +49-170-811-3791
http://www.codetrails.com/
Managing Director: Dr. Marcel Bruch
Handelsregister: Darmstadt HRB 91940