|Re: [cbi-dev] Signing service maven plugin|
Thank you for the kind words.
Yes, it is possible to setup such a service on your own infrastructure. There is no documentation per se about the server API, but you can guess it easily from the simple single signing servlet which is used.
The signing service has a single POST operation (the name of this operation is configurable in the properties file, more on that later). It has several parameters:
You can install the server on a machine by downloading the latest snapshot build of the single jar webservice (it embeds Jetty). I plan to do a release shortly after all the dependencies have been IP approved.
You can start the server with a simple "java -jar jar-signing-service-VERSION.jar" (Java 8 required). It will look for a configuration file named "jar-signing-service.properties" in the current working directory. You can specify the path and filename of this configuration file with the "-c" option switch: "java -jar jar-signing-service-VERSION.jar -c /path/to/my.config.properties"
You will find a sample configuration file (with description about what are the options for) in the git repo. You need to configure some information about the JKS and the certificate to be used for signing. I suppose you're familiar with that part.
If you use the eclipse-jarsigner-plugin, you will need to specify the signerUrl parameter to your own service.
If you want to try the webservice without creating a certificate and caring about the configuration file, there is a test server in the jar signing service test jar that I use for headless integration testing. Just download this additional jar and run the following command:
On Unix or similar
java -cp /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar TestServer
java -cp C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar TestServer
It will print an URL (like http://localhost:3138/jarsigner) that you can add to your maven build (-Dcbi.jarsigner.signerUrl=http://localhost:3138/jarsigner) and it will sign your jars locally with a dummy certificate. You can pass --help to see the options you can give to the TestServer. This test server has the same REST api as the production one.
I hope it will help you with using this project. If you have more questions, please feel free to ask. If you see something that you miss from the current implementation, we are welcoming contributions ;)
Description: Message signed with OpenPGP using GPGMail