Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing service maven plugin

Right. The service runs within our private LAN and that's how we handle "authentication". If you add an authentication layer, that would be a fantastic contribution. I'm not certain we will use at Eclipse, but this is definitely something that would be interesting for several corporate users.

Cheers,
Mikael

Le 2 févr. 2016 à 09:06, Christian Pontesegger <christian.pontesegger@xxxxxx> a écrit :

Thanks Mikael for the description. I will try to implement this on our company infrastructure. I guess for us authentication will be a topic. Is this something that is interesting for Eclipse? I guess you are currently accepting connections from eclipse.org servers only, right?

regards
Christian

Am 01.02.2016 um 14:03 schrieb Mikael Barbero:
I forgot to talk about the response:

HTTP 200 - application/java-archive (Content-Disposition attachment) - The signed Jar.
HTTP 400 - text/plain - the error message about the invalid parameter

Cheers,
Mikael

Le 1 févr. 2016 à 13:52, Mikael Barbero <mikael@xxxxxxxxxxx> a écrit :

Hi Christian,

Thank you for the kind words. 

Yes, it is possible to setup such a service on your own infrastructure. There is no documentation per se about the server API, but you can guess it easily from the simple single signing servlet which is used.

The signing service has a single POST operation (the name of this operation is configurable in the properties file, more on that later). It has several parameters:
  • file - in formData - required - The jar file to be signed
  • digestalg - in query - optional - The digest algoritm to be used to sign the jar. See -digestalg option at Oracle documentation for more information. The valid values are (if the configured jarsigner is from Java 8 - advised):
    • DEFAULT, tells to the remote signing webservice to use its default digest algorithm to sign the jar
    • MD2
    • MD5
    • SHA_1
    • SHA1 Use this value if you need to be compatible with some old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use SHA_1 otherwise.
    • SHA_224
    • SHA_256
    • SHA_384
    • SHA_512
  • sigalg - in query - optional - The signature algoritm to be used to sign the jar. See -sigalg option at Oracle documentation for more information. The valid values are (if the configured jarsigner is from Java 8 - advised):
    • DEFAULT, tells to the remote signing webservice to use its default digest algorithm to sign the jar
    • NONEwithRSA
    • MD2withRSA
    • MD5withRSA
    • SHA1withRSA
    • SHA224withRSA
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA1withDSA
    • SHA224withDSA
    • SHA256withDSA
    • NONEwithECDSA
    • SHA1withECDSA
    • SHA224withECDSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA

You can install the server on a machine by downloading the latest snapshot build of the single jar webservice (it embeds Jetty). I plan to do a release shortly after all the dependencies have been IP approved.

You can start the server with a simple "java -jar jar-signing-service-VERSION.jar" (Java 8 required). It will look for a configuration file named "jar-signing-service.properties" in the current working directory. You can specify the path and filename of this configuration file with the "-c" option switch: "java -jar jar-signing-service-VERSION.jar -c /path/to/my.config.properties"

You will find a sample configuration file (with description about what are the options for) in the git repo. You need to configure some information about the JKS and the certificate to be used for signing. I suppose you're familiar with that part. 

If you use the eclipse-jarsigner-plugin, you will need to specify the signerUrl parameter to your own service.

If you want to try the webservice without creating a certificate and caring about the configuration file, there is a test server in the jar signing service test jar that I use for headless integration testing. Just download this additional jar and run the following command:

On Unix or similar

java -cp /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar TestServer

On Windows

java -cp C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar TestServer

It will print an URL (like http://localhost:3138/jarsigner) that you can add to your maven build (-Dcbi.jarsigner.signerUrl=http://localhost:3138/jarsigner) and it will sign your jars locally with a dummy certificate. You can pass --help to see the options you can give to the TestServer. This test server has the same REST api as the production one. 

I hope it will help you with using this project. If you have more questions, please feel free to ask. If you see something that you miss from the current implementation, we are welcoming contributions ;)

Cheers,
Mikael

Le 29 janv. 2016 à 20:02, Christian Pontesegger <christian.pontesegger@xxxxxx> a écrit :

Hi,

I like the way eclipse is signing its plugins using the eclipse-jarsigner-plugin. I wonder if it is possible to setup such a service in our company, too.
Is there documentation available how the server API works? Is it a REST API, or how does the backend work?

Further it would be interesting to get the source code to eventually add some additional functionality like authenticating to the signing server first.

thanks
Christian

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev



_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Back to the top