[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cbi-dev] Signing service maven plugin
|
Right. The service runs within our private LAN and that's how we handle "authentication". If you add an authentication layer, that would be a fantastic contribution. I'm not certain we will use at Eclipse, but this is definitely something that would be interesting for several corporate users.
Cheers, Mikael
Thanks Mikael for the description. I will try to implement this on
our company infrastructure. I guess for us authentication will be a
topic. Is this something that is interesting for Eclipse? I guess
you are currently accepting connections from eclipse.org servers
only, right?
regards
Christian
Am 01.02.2016 um 14:03 schrieb Mikael
Barbero:
I forgot to talk about the response:
HTTP 200 - application/java-archive
(Content-Disposition attachment) - The signed Jar.
HTTP 400 - text/plain - the error message about the
invalid parameter
Cheers,
Mikael
Hi
Christian,
Thank you for the kind words.
Yes, it is possible to setup such a
service on your own infrastructure. There is no
documentation per se about the server API, but you can
guess it easily from the simple single signing servlet which is
used.
The signing service has a single POST
operation (the name of this operation is configurable
in the properties file, more on that later). It has
several parameters:
- file - in formData -
required - The jar file to be signed
- digestalg - in query -
optional - The digest algoritm to be used to sign
the jar. See -digestalg option at Oracle
documentation for more information. The
valid values are (if the configured jarsigner is
from Java 8 - advised):
- DEFAULT, tells to the
remote signing webservice to use its default
digest algorithm to sign the jar
- MD2
- MD5
- SHA_1
- SHA1 Use this value
if you need to be compatible with some old
frameworks (e.g., Eclipse Equinox 3.7 / Indigo).
Use SHA_1 otherwise.
- SHA_224
- SHA_256
- SHA_384
- SHA_512
- sigalg - in query -
optional - The signature algoritm to be used to
sign the jar. See -sigalg option at Oracle documentation for
more information. The valid values are (if the
configured jarsigner is from Java 8 - advised):
- DEFAULT, tells to the
remote signing webservice to use its default
digest algorithm to sign the jar
- NONEwithRSA
- MD2withRSA
- MD5withRSA
- SHA1withRSA
- SHA224withRSA
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA1withDSA
- SHA224withDSA
- SHA256withDSA
- NONEwithECDSA
- SHA1withECDSA
- SHA224withECDSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
You can install the server on a machine by
downloading the latest snapshot build of the single jar
webservice (it embeds Jetty). I plan to do a release
shortly after all the dependencies have been IP
approved.
You can start the server with a simple "java -jar
jar-signing-service-VERSION.jar" (Java 8
required). It will look for a configuration file named
"jar-signing-service.properties" in the current
working directory. You can specify the path and
filename of this configuration file with the "-c"
option switch: "java
-jar jar-signing-service-VERSION.jar -c
/path/to/my.config.properties"
You will find a sample configuration file
(with description about what are the options for) in the git repo. You need to configure
some information about the JKS and the certificate to
be used for signing. I suppose you're familiar with
that part.
If you use the eclipse-jarsigner-plugin,
you will need to specify the signerUrl parameter to your own
service.
If you want to try the webservice without
creating a certificate and caring about the
configuration file, there is a test server in the jar
signing service test jar that I use for headless
integration testing. Just download this additional jar and run the following
command:
On Unix or similar
java -cp
/path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar
TestServer
On Windows
java -cp
C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar
TestServer
It will print an URL (like http://localhost:3138/jarsigner)
that you can add to your maven build ( -Dcbi.jarsigner.signerUrl=http://localhost:3138/jarsigner)
and it will sign your jars locally with a dummy
certificate. You can pass --help to see the options you can give
to the TestServer. This test server has the same REST
api as the production one.
I hope it will help you with using this
project. If you have more questions, please feel free
to ask. If you see something that you miss from the
current implementation, we are welcoming contributions
;)
Cheers,
Mikael
Hi,
I like the way eclipse is signing its plugins
using the eclipse-jarsigner-plugin. I wonder
if it is possible to setup such a service in
our company, too.
Is there documentation available how the
server API works? Is it a REST API, or how
does the backend work?
Further it would be interesting to get the
source code to eventually add some additional
functionality like authenticating to the
signing server first.
thanks
Christian
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password,
or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________ cbi-dev mailing list cbi-dev@xxxxxxxxxxxTo change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cbi-dev
|
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail