Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] Question about signing and keystore management

So I managed to configure the eclipse-jarsigner-plugin. Below I'll provide a small Howto and share my experience:

1. Clone the git repository:  https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/
2. Build yourself the webservice jar with mvn clean install, which is under webservice/signing/jar
3. Copy the jar file from target and copy the template configuration file from https://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties in the same folder
4. create a keystore with your certificate and use the same password for the keystore and keypass.
5. change the jar-signing-service.properties.
6. In the parent pom you need the following changes:

<plugin>
<groupId>org.eclipse.cbi.maven.plugins</groupId>
<artifactId>eclipse-jarsigner-plugin</artifactId>
<version>1.1.0</version>
<executions>
      <execution>
    <id>sign</id>
    <goals>
      <goal>sign</goal>
    </goals>
    <phase>verify</phase>
      </execution>
</executions>
<configuration>
    <signerUrl>http://localhost:8080/jar-signing-service</signerUrl>
</configuration>
</plugin>

 ......
<pluginRepositories>
   <pluginRepository>
     <id>eclipse</id>
     <name>Eclipse Plugin Repository</name>
     <url>https://repo.eclipse.org/content/groups/cbi/</url>
     <layout>default</layout>
     <snapshots>
       <enabled>false</enabled>
     </snapshots>
     <releases>
       <updatePolicy>never</updatePolicy>
     </releases>
   </pluginRepository>


Thank you Andreas for the tip and Mikael for your help.

P.S: You need a newer mvn and java 8
-- 
Best regards,
Aleksandar Toshovski


On 02/10/15 10:32, Mikael Barbero wrote:

Le 2 oct. 2015 à 09:38, Andreas Sewe <andreas.sewe@xxxxxxxxxxxxxx> a écrit :

Hi Aleksandar,

I was wondering, do you sign your plugins and how do you manage your
keystores containing the certificates?

well, on the Open Source side of things we use the Eclipse Foundations
signing service through the eclipse-jarsigner-plugin. If you don't mind
the admin work, you can also set up your own signing webservice and use
the eclipse-jarsigner-plugin to connect to it [1, 2]; that way you would
not need to distribute your keystore at all but can keep it on the
webservice's server. (Disclaimer: I have not tried this.)


Of course with this solution, you need to protect the access to the webservice, otherwise anybody can sign jars with the certificate. We achieve that by keeping it behind our firewall, and only machines from the same origin can call it. 

Feel free to ask question on cbi-dev@xxxxxxxxxxx if you need help with these.

Cheers,
Mikael


_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tycho-user



Back to the top