[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing service maven plugin

Jetty supports basic authentication, similarly to apache httpd, which
makes it easy for clients to authenticate. It's not the most secure
method (even over https) but it would get the job done:

https://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html




On 02/02/2016 03:27 AM, Mikael Barbero wrote:
> Right. The service runs within our private LAN and that's how we
> handle "authentication". If you add an authentication layer, that
> would be a fantastic contribution. I'm not certain we will use at
> Eclipse, but this is definitely something that would be interesting
> for several corporate users.
> 
> Cheers, Mikael
> 
>> Le 2 févr. 2016 à 09:06, Christian Pontesegger 
>> <christian.pontesegger@xxxxxx
>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>> 
>> Thanks Mikael for the description. I will try to implement this
>> on our company infrastructure. I guess for us authentication will
>> be a topic. Is this something that is interesting for Eclipse? I
>> guess you are currently accepting connections from eclipse.org
>> <http://eclipse.org> servers only, right?
>> 
>> regards Christian
>> 
>> Am 01.02.2016 um 14:03 schrieb Mikael Barbero:
>>> I forgot to talk about the response:
>>> 
>>> HTTP 200 - application/java-archive (Content-Disposition
>>> attachment) - The signed Jar. HTTP 400 - text/plain - the error
>>> message about the invalid parameter
>>> 
>>> Cheers, Mikael
>>> 
>>>> Le 1 févr. 2016 à 13:52, Mikael Barbero 
>>>> <<mailto:mikael@xxxxxxxxxxx>mikael@xxxxxxxxxxx> a écrit :
>>>> 
>>>> Hi Christian,
>>>> 
>>>> Thank you for the kind words.
>>>> 
>>>> Yes, it is possible to setup such a service on your own 
>>>> infrastructure. There is no documentation per se about the
>>>> server API, but you can guess it easily from the simple
>>>> single signing servlet 
>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/src/main/java/org/eclipse/cbi/webservice/signing/jar/SigningServlet.java>
>>>> which is used.
>>>> 
>>>> The signing service has a single POST operation (the name of
>>>> this operation is configurable in the properties file, more
>>>> on that later). It has several parameters:
>>>> 
>>>> * *file* - in formData - required - The jar file to be
>>>> signed * *digestalg* - in query - optional - The digest
>>>> algoritm to be used to sign the jar. See -digestalg option at
>>>> Oracle documentation 
>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>> for more information. The valid values are (if the
>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>> tells to the remote signing webservice to use its default
>>>> digest algorithm to sign the jar o /MD2/ o /MD5/ o /SHA_1/ o
>>>> /SHA1/ Use this value if you need to be compatible with some 
>>>> old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use 
>>>> SHA_1 otherwise. o /SHA_224/ o /SHA_256/ o /SHA_384/ o
>>>> /SHA_512/ * *sigalg* - in query - optional - The signature
>>>> algoritm to be used to sign the jar. See -sigalg option at
>>>> Oracle documentation 
>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>> for more information. The valid values are (if the
>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>> tells to the remote signing webservice to use its default
>>>> digest algorithm to sign the jar o /NONEwithRSA/ o
>>>> /MD2withRSA/ o /MD5withRSA/ o /SHA1withRSA/ o
>>>> /SHA224withRSA/ o /SHA256withRSA/ o /SHA384withRSA/ o
>>>> /SHA512withRSA/ o /SHA1withDSA/ o /SHA224withDSA/ o
>>>> /SHA256withDSA/ o /NONEwithECDSA/ o /SHA1withECDSA/ o
>>>> /SHA224withECDSA/ o /SHA256withECDSA/ o /SHA384withECDSA/ o
>>>> /SHA512withECDSA/
>>>> 
>>>> 
>>>> You can install the server on a machine by downloading the
>>>> latest snapshot 
>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&v=LATEST>
>>>> build of the single jar webservice (it embeds Jetty). I plan
>>>> to do a release shortly after all the dependencies have been
>>>> IP approved.
>>>> 
>>>> You can start the server with a simple "java -jar 
>>>> jar-signing-service-VERSION.jar" (Java 8 required). It will
>>>> look for a configuration file named
>>>> "jar-signing-service.properties" in the current working
>>>> directory. You can specify the path and filename of this
>>>> configuration file with the "-c" option switch: "java -jar 
>>>> jar-signing-service-VERSION.jar -c
>>>> /path/to/my.config.properties"
>>>> 
>>>> You will find a sample configuration file (with description
>>>> about what are the options for) in the git repo 
>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties>.
>>>>
>>>> 
You need to configure some information about the JKS and the
>>>> certificate to be used for signing. I suppose you're familiar
>>>> with that part.
>>>> 
>>>> If you use the eclipse-jarsigner-plugin, you will need to
>>>> specify the signerUrl parameter 
>>>> <http://www.eclipse.org/cbi/maven-plugins/documentation/1.1.3/eclipse-jarsigner-plugin/sign-mojo.html#signerUrl>
>>>> to your own service.
>>>> 
>>>> If you want to try the webservice without creating a
>>>> certificate and caring about the configuration file, there is
>>>> a test server in the jar signing service test jar that I use
>>>> for headless integration testing. Just download this
>>>> additional jar 
>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&c=tests&v=LATEST>
>>>> and run the following command:
>>>> 
>>>> On Unix or similar
>>>> 
>>>> java -cp 
>>>> /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar
>>>>
>>>> 
TestServer
>>>> 
>>>> On Windows
>>>> 
>>>> java -cp 
>>>> C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar
>>>>
>>>> 
TestServer
>>>> 
>>>> It will print an URL (like http://localhost:3138/jarsigner)
>>>> that you can add to your maven build 
>>>> (-Dcbi.jarsigner.signerUrl=<http://localhost:3138/jarsigner>http://localhost:3138/jarsigner)
>>>>
>>>> 
and it will sign your jars locally with a dummy certificate. You can
>>>> pass --help to see the options you can give to the
>>>> TestServer. This test server has the same REST api as the
>>>> production one.
>>>> 
>>>> I hope it will help you with using this project. If you have
>>>> more questions, please feel free to ask. If you see something
>>>> that you miss from the current implementation, we are
>>>> welcoming contributions ;)
>>>> 
>>>> Cheers, Mikael
>>>> 
>>>>> Le 29 janv. 2016 à 20:02, Christian Pontesegger 
>>>>> <christian.pontesegger@xxxxxx 
>>>>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I like the way eclipse is signing its plugins using the 
>>>>> eclipse-jarsigner-plugin. I wonder if it is possible to
>>>>> setup such a service in our company, too. Is there
>>>>> documentation available how the server API works? Is it a 
>>>>> REST API, or how does the backend work?
>>>>> 
>>>>> Further it would be interesting to get the source code to 
>>>>> eventually add some additional functionality like
>>>>> authenticating to the signing server first.
>>>>> 
>>>>> thanks Christian
>>>>> 
>>>>> _______________________________________________ cbi-dev
>>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery
>>>>> options, retrieve your password, or unsubscribe from this
>>>>> list, visit 
>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>> 
>>>> _______________________________________________ cbi-dev
>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery options,
>>>> retrieve your password, or unsubscribe from this list, visit 
>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>> 
>>> 
>>> 
>>> _______________________________________________ cbi-dev mailing
>>> list cbi-dev@xxxxxxxxxxx To change your delivery options,
>>> retrieve your password, or unsubscribe from this list, visit 
>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>> 
>> _______________________________________________ cbi-dev mailing
>> list cbi-dev@xxxxxxxxxxx <mailto:cbi-dev@xxxxxxxxxxx> To change
>> your delivery options, retrieve your password, or unsubscribe
>> from this list, visit 
>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
> 
> 
> 
> _______________________________________________ cbi-dev mailing
> list cbi-dev@xxxxxxxxxxx To change your delivery options, retrieve
> your password, or unsubscribe from this list, visit 
> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>