Re: [tycho-user] Question about signing and keystore management

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Question about signing and keystore management

From: Andreas Sewe <andreas.sewe@xxxxxxxxxxxxxx>
Date: Fri, 2 Oct 2015 09:38:13 +0200
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>
Organization: Codetrails
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Thunderbird/41.0

Hi Aleksandar,

> I was wondering, do you sign your plugins and how do you manage your 
> keystores containing the certificates?

well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)

> My idea is to store the keystore in nexus and download it with maven, 
> when I need to sign the project. In the pom file I need to encrypt the 
> keystore and keypass pass. I will use the maven password encryption 
> mechanism. The whole thing must work for multiple developers and jenkins 
> server. So we have manually to distribute the settings-security.xml
> 
> Is it a good idea to store the keystore on a local nexus server? Do you 
> use maven password encryption? Did you managed to integrate the master 
> password credentials in jenkins?
> 
> If that's not a good idea, how do you do it?

On the Closed Source side of things, I have put the keystore simply into
Git, the secret not being the encrypted keystore but the password to it.
The encrypted password itself is also in the checked-in POM, but the
password to that is *not*, but kept in the settings-security.xml. Yes,
you have to distribute that file manually, but everything else is
encrypted and in Git.

Downloading from Nexus rather than checking the keystore into Git sounds
nice as well, but I don't think that the maven-jarsigner-plugin can
access a keystore in own of its plugin dependencies. Thus, you cannot
let Maven magically download the keystore for you but have to resort to
the maven-dependency-plugin or similar to fetch it. It thought this to
be a bit too cumbersome and went down the checking-into-Git route instead.

Hope this helps.

Andreas

[1] <http://www.codetrails.com/comment/13#comment-13>
[2] <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/>

-- 
Codetrails GmbH
The knowledge transfer company

Robert-Bosch-Str. 7, 64293 Darmstadt
Phone: +49-6151-276-7092
Mobile: +49-170-811-3791
http://www.codetrails.com/

Managing Director: Dr. Marcel Bruch
Handelsregister: Darmstadt HRB 91940

Follow-Ups:
- Re: [tycho-user] Question about signing and keystore management
  - From: Mikael Barbero
- Re: [tycho-user] Question about signing and keystore management
  - From: Aleksandar Toshovski

References:
- [tycho-user] Question about signing and keystore management
  - From: Aleksandar Toshovski

Prev by Date: [tycho-user] Question about signing and keystore management
Next by Date: Re: [tycho-user] Question about signing and keystore management
Previous by thread: [tycho-user] Question about signing and keystore management
Next by thread: Re: [tycho-user] Question about signing and keystore management
Index(es):
- Date
- Thread

Breadcrumbs