Re: [tycho-user] Question about signing and keystore management

[Mikael Barbero <mikael@xxxxxxxxxxx>]

Le 2 oct. 2015 à 09:38, Andreas Sewe <andreas.sewe@xxxxxxxxxxxxxx> a écrit :

Hi Aleksandar,

I was wondering, do you sign your plugins and how do you manage your
keystores containing the certificates?

well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)

The jarsigner plugin is located here: https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/maven-plugins/eclipse-jarsigner-plugin while a webservice implementation is here: https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar.

Of course with this solution, you need to protect the access to the webservice, otherwise anybody can sign jars with the certificate. We achieve that by keeping it behind our firewall, and only machines from the same origin can call it. 

Feel free to ask question on cbi-dev@xxxxxxxxxxx if you need help with these.

Cheers,

Mikael

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail