[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing service maven plugin

Good catch Denis! That would get the job done.

> Le 2 févr. 2016 à 16:02, Denis Roy <denis.roy@xxxxxxxxxxx> a écrit :
> 
> Jetty supports basic authentication, similarly to apache httpd, which
> makes it easy for clients to authenticate. It's not the most secure
> method (even over https) but it would get the job done:
> 
> https://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html
> 
> 
> 
> 
> On 02/02/2016 03:27 AM, Mikael Barbero wrote:
>> Right. The service runs within our private LAN and that's how we
>> handle "authentication". If you add an authentication layer, that
>> would be a fantastic contribution. I'm not certain we will use at
>> Eclipse, but this is definitely something that would be interesting
>> for several corporate users.
>> 
>> Cheers, Mikael
>> 
>>> Le 2 févr. 2016 à 09:06, Christian Pontesegger
>>> <christian.pontesegger@xxxxxx
>>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>>> 
>>> Thanks Mikael for the description. I will try to implement this
>>> on our company infrastructure. I guess for us authentication will
>>> be a topic. Is this something that is interesting for Eclipse? I
>>> guess you are currently accepting connections from eclipse.org
>>> <http://eclipse.org> servers only, right?
>>> 
>>> regards Christian
>>> 
>>> Am 01.02.2016 um 14:03 schrieb Mikael Barbero:
>>>> I forgot to talk about the response:
>>>> 
>>>> HTTP 200 - application/java-archive (Content-Disposition
>>>> attachment) - The signed Jar. HTTP 400 - text/plain - the error
>>>> message about the invalid parameter
>>>> 
>>>> Cheers, Mikael
>>>> 
>>>>> Le 1 févr. 2016 à 13:52, Mikael Barbero
>>>>> <<mailto:mikael@xxxxxxxxxxx>mikael@xxxxxxxxxxx> a écrit :
>>>>> 
>>>>> Hi Christian,
>>>>> 
>>>>> Thank you for the kind words.
>>>>> 
>>>>> Yes, it is possible to setup such a service on your own
>>>>> infrastructure. There is no documentation per se about the
>>>>> server API, but you can guess it easily from the simple
>>>>> single signing servlet
>>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/src/main/java/org/eclipse/cbi/webservice/signing/jar/SigningServlet.java>
>>>>> which is used.
>>>>> 
>>>>> The signing service has a single POST operation (the name of
>>>>> this operation is configurable in the properties file, more
>>>>> on that later). It has several parameters:
>>>>> 
>>>>> * *file* - in formData - required - The jar file to be
>>>>> signed * *digestalg* - in query - optional - The digest
>>>>> algoritm to be used to sign the jar. See -digestalg option at
>>>>> Oracle documentation
>>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>>> for more information. The valid values are (if the
>>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>>> tells to the remote signing webservice to use its default
>>>>> digest algorithm to sign the jar o /MD2/ o /MD5/ o /SHA_1/ o
>>>>> /SHA1/ Use this value if you need to be compatible with some
>>>>> old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use
>>>>> SHA_1 otherwise. o /SHA_224/ o /SHA_256/ o /SHA_384/ o
>>>>> /SHA_512/ * *sigalg* - in query - optional - The signature
>>>>> algoritm to be used to sign the jar. See -sigalg option at
>>>>> Oracle documentation
>>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>>> for more information. The valid values are (if the
>>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>>> tells to the remote signing webservice to use its default
>>>>> digest algorithm to sign the jar o /NONEwithRSA/ o
>>>>> /MD2withRSA/ o /MD5withRSA/ o /SHA1withRSA/ o
>>>>> /SHA224withRSA/ o /SHA256withRSA/ o /SHA384withRSA/ o
>>>>> /SHA512withRSA/ o /SHA1withDSA/ o /SHA224withDSA/ o
>>>>> /SHA256withDSA/ o /NONEwithECDSA/ o /SHA1withECDSA/ o
>>>>> /SHA224withECDSA/ o /SHA256withECDSA/ o /SHA384withECDSA/ o
>>>>> /SHA512withECDSA/
>>>>> 
>>>>> 
>>>>> You can install the server on a machine by downloading the
>>>>> latest snapshot
>>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&v=LATEST>
>>>>> build of the single jar webservice (it embeds Jetty). I plan
>>>>> to do a release shortly after all the dependencies have been
>>>>> IP approved.
>>>>> 
>>>>> You can start the server with a simple "java -jar
>>>>> jar-signing-service-VERSION.jar" (Java 8 required). It will
>>>>> look for a configuration file named
>>>>> "jar-signing-service.properties" in the current working
>>>>> directory. You can specify the path and filename of this
>>>>> configuration file with the "-c" option switch: "java -jar
>>>>> jar-signing-service-VERSION.jar -c
>>>>> /path/to/my.config.properties"
>>>>> 
>>>>> You will find a sample configuration file (with description
>>>>> about what are the options for) in the git repo
>>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties>.
>>>>> 
>>>>> 
> You need to configure some information about the JKS and the
>>>>> certificate to be used for signing. I suppose you're familiar
>>>>> with that part.
>>>>> 
>>>>> If you use the eclipse-jarsigner-plugin, you will need to
>>>>> specify the signerUrl parameter
>>>>> <http://www.eclipse.org/cbi/maven-plugins/documentation/1.1.3/eclipse-jarsigner-plugin/sign-mojo.html#signerUrl>
>>>>> to your own service.
>>>>> 
>>>>> If you want to try the webservice without creating a
>>>>> certificate and caring about the configuration file, there is
>>>>> a test server in the jar signing service test jar that I use
>>>>> for headless integration testing. Just download this
>>>>> additional jar
>>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&c=tests&v=LATEST>
>>>>> and run the following command:
>>>>> 
>>>>> On Unix or similar
>>>>> 
>>>>> java -cp
>>>>> /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar
>>>>> 
>>>>> 
> TestServer
>>>>> 
>>>>> On Windows
>>>>> 
>>>>> java -cp
>>>>> C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar
>>>>> 
>>>>> 
> TestServer
>>>>> 
>>>>> It will print an URL (like http://localhost:3138/jarsigner)
>>>>> that you can add to your maven build
>>>>> (-Dcbi.jarsigner.signerUrl=<http://localhost:3138/jarsigner>http://localhost:3138/jarsigner)
>>>>> 
>>>>> 
> and it will sign your jars locally with a dummy certificate. You can
>>>>> pass --help to see the options you can give to the
>>>>> TestServer. This test server has the same REST api as the
>>>>> production one.
>>>>> 
>>>>> I hope it will help you with using this project. If you have
>>>>> more questions, please feel free to ask. If you see something
>>>>> that you miss from the current implementation, we are
>>>>> welcoming contributions ;)
>>>>> 
>>>>> Cheers, Mikael
>>>>> 
>>>>>> Le 29 janv. 2016 à 20:02, Christian Pontesegger
>>>>>> <christian.pontesegger@xxxxxx
>>>>>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> I like the way eclipse is signing its plugins using the
>>>>>> eclipse-jarsigner-plugin. I wonder if it is possible to
>>>>>> setup such a service in our company, too. Is there
>>>>>> documentation available how the server API works? Is it a
>>>>>> REST API, or how does the backend work?
>>>>>> 
>>>>>> Further it would be interesting to get the source code to
>>>>>> eventually add some additional functionality like
>>>>>> authenticating to the signing server first.
>>>>>> 
>>>>>> thanks Christian
>>>>>> 
>>>>>> _______________________________________________ cbi-dev
>>>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery
>>>>>> options, retrieve your password, or unsubscribe from this
>>>>>> list, visit
>>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>>> 
>>>>> _______________________________________________ cbi-dev
>>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery options,
>>>>> retrieve your password, or unsubscribe from this list, visit
>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ cbi-dev mailing
>>>> list cbi-dev@xxxxxxxxxxx To change your delivery options,
>>>> retrieve your password, or unsubscribe from this list, visit
>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>> 
>>> _______________________________________________ cbi-dev mailing
>>> list cbi-dev@xxxxxxxxxxx <mailto:cbi-dev@xxxxxxxxxxx> To change
>>> your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>> 
>> 
>> 
>> _______________________________________________ cbi-dev mailing
>> list cbi-dev@xxxxxxxxxxx To change your delivery options, retrieve
>> your password, or unsubscribe from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>> 
> _______________________________________________
> cbi-dev mailing list
> cbi-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/cbi-dev

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail