| Re: [cbi-dev] Signing service maven plugin |
Good catch Denis! That would get the job done. > Le 2 févr. 2016 à 16:02, Denis Roy <denis.roy@xxxxxxxxxxx> a écrit : > > Jetty supports basic authentication, similarly to apache httpd, which > makes it easy for clients to authenticate. It's not the most secure > method (even over https) but it would get the job done: > > https://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html > > > > > On 02/02/2016 03:27 AM, Mikael Barbero wrote: >> Right. The service runs within our private LAN and that's how we >> handle "authentication". If you add an authentication layer, that >> would be a fantastic contribution. I'm not certain we will use at >> Eclipse, but this is definitely something that would be interesting >> for several corporate users. >> >> Cheers, Mikael >> >>> Le 2 févr. 2016 à 09:06, Christian Pontesegger >>> <christian.pontesegger@xxxxxx >>> <mailto:christian.pontesegger@xxxxxx>> a écrit : >>> >>> Thanks Mikael for the description. I will try to implement this >>> on our company infrastructure. I guess for us authentication will >>> be a topic. Is this something that is interesting for Eclipse? I >>> guess you are currently accepting connections from eclipse.org >>> <http://eclipse.org> servers only, right? >>> >>> regards Christian >>> >>> Am 01.02.2016 um 14:03 schrieb Mikael Barbero: >>>> I forgot to talk about the response: >>>> >>>> HTTP 200 - application/java-archive (Content-Disposition >>>> attachment) - The signed Jar. HTTP 400 - text/plain - the error >>>> message about the invalid parameter >>>> >>>> Cheers, Mikael >>>> >>>>> Le 1 févr. 2016 à 13:52, Mikael Barbero >>>>> <<mailto:mikael@xxxxxxxxxxx>mikael@xxxxxxxxxxx> a écrit : >>>>> >>>>> Hi Christian, >>>>> >>>>> Thank you for the kind words. >>>>> >>>>> Yes, it is possible to setup such a service on your own >>>>> infrastructure. There is no documentation per se about the >>>>> server API, but you can guess it easily from the simple >>>>> single signing servlet >>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/src/main/java/org/eclipse/cbi/webservice/signing/jar/SigningServlet.java> >>>>> which is used. >>>>> >>>>> The signing service has a single POST operation (the name of >>>>> this operation is configurable in the properties file, more >>>>> on that later). It has several parameters: >>>>> >>>>> * *file* - in formData - required - The jar file to be >>>>> signed * *digestalg* - in query - optional - The digest >>>>> algoritm to be used to sign the jar. See -digestalg option at >>>>> Oracle documentation >>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF> >>>>> for more information. The valid values are (if the >>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/, >>>>> tells to the remote signing webservice to use its default >>>>> digest algorithm to sign the jar o /MD2/ o /MD5/ o /SHA_1/ o >>>>> /SHA1/ Use this value if you need to be compatible with some >>>>> old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use >>>>> SHA_1 otherwise. o /SHA_224/ o /SHA_256/ o /SHA_384/ o >>>>> /SHA_512/ * *sigalg* - in query - optional - The signature >>>>> algoritm to be used to sign the jar. See -sigalg option at >>>>> Oracle documentation >>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF> >>>>> for more information. The valid values are (if the >>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/, >>>>> tells to the remote signing webservice to use its default >>>>> digest algorithm to sign the jar o /NONEwithRSA/ o >>>>> /MD2withRSA/ o /MD5withRSA/ o /SHA1withRSA/ o >>>>> /SHA224withRSA/ o /SHA256withRSA/ o /SHA384withRSA/ o >>>>> /SHA512withRSA/ o /SHA1withDSA/ o /SHA224withDSA/ o >>>>> /SHA256withDSA/ o /NONEwithECDSA/ o /SHA1withECDSA/ o >>>>> /SHA224withECDSA/ o /SHA256withECDSA/ o /SHA384withECDSA/ o >>>>> /SHA512withECDSA/ >>>>> >>>>> >>>>> You can install the server on a machine by downloading the >>>>> latest snapshot >>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&v=LATEST> >>>>> build of the single jar webservice (it embeds Jetty). I plan >>>>> to do a release shortly after all the dependencies have been >>>>> IP approved. >>>>> >>>>> You can start the server with a simple "java -jar >>>>> jar-signing-service-VERSION.jar" (Java 8 required). It will >>>>> look for a configuration file named >>>>> "jar-signing-service.properties" in the current working >>>>> directory. You can specify the path and filename of this >>>>> configuration file with the "-c" option switch: "java -jar >>>>> jar-signing-service-VERSION.jar -c >>>>> /path/to/my.config.properties" >>>>> >>>>> You will find a sample configuration file (with description >>>>> about what are the options for) in the git repo >>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties>. >>>>> >>>>> > You need to configure some information about the JKS and the >>>>> certificate to be used for signing. I suppose you're familiar >>>>> with that part. >>>>> >>>>> If you use the eclipse-jarsigner-plugin, you will need to >>>>> specify the signerUrl parameter >>>>> <http://www.eclipse.org/cbi/maven-plugins/documentation/1.1.3/eclipse-jarsigner-plugin/sign-mojo.html#signerUrl> >>>>> to your own service. >>>>> >>>>> If you want to try the webservice without creating a >>>>> certificate and caring about the configuration file, there is >>>>> a test server in the jar signing service test jar that I use >>>>> for headless integration testing. Just download this >>>>> additional jar >>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&c=tests&v=LATEST> >>>>> and run the following command: >>>>> >>>>> On Unix or similar >>>>> >>>>> java -cp >>>>> /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar >>>>> >>>>> > TestServer >>>>> >>>>> On Windows >>>>> >>>>> java -cp >>>>> C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar >>>>> >>>>> > TestServer >>>>> >>>>> It will print an URL (like http://localhost:3138/jarsigner) >>>>> that you can add to your maven build >>>>> (-Dcbi.jarsigner.signerUrl=<http://localhost:3138/jarsigner>http://localhost:3138/jarsigner) >>>>> >>>>> > and it will sign your jars locally with a dummy certificate. You can >>>>> pass --help to see the options you can give to the >>>>> TestServer. This test server has the same REST api as the >>>>> production one. >>>>> >>>>> I hope it will help you with using this project. If you have >>>>> more questions, please feel free to ask. If you see something >>>>> that you miss from the current implementation, we are >>>>> welcoming contributions ;) >>>>> >>>>> Cheers, Mikael >>>>> >>>>>> Le 29 janv. 2016 à 20:02, Christian Pontesegger >>>>>> <christian.pontesegger@xxxxxx >>>>>> <mailto:christian.pontesegger@xxxxxx>> a écrit : >>>>>> >>>>>> Hi, >>>>>> >>>>>> I like the way eclipse is signing its plugins using the >>>>>> eclipse-jarsigner-plugin. I wonder if it is possible to >>>>>> setup such a service in our company, too. Is there >>>>>> documentation available how the server API works? Is it a >>>>>> REST API, or how does the backend work? >>>>>> >>>>>> Further it would be interesting to get the source code to >>>>>> eventually add some additional functionality like >>>>>> authenticating to the signing server first. >>>>>> >>>>>> thanks Christian >>>>>> >>>>>> _______________________________________________ cbi-dev >>>>>> mailing list cbi-dev@xxxxxxxxxxx >>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery >>>>>> options, retrieve your password, or unsubscribe from this >>>>>> list, visit >>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev >>>>> >>>>> _______________________________________________ cbi-dev >>>>> mailing list cbi-dev@xxxxxxxxxxx >>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery options, >>>>> retrieve your password, or unsubscribe from this list, visit >>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev >>>> >>>> >>>> >>>> _______________________________________________ cbi-dev mailing >>>> list cbi-dev@xxxxxxxxxxx To change your delivery options, >>>> retrieve your password, or unsubscribe from this list, visit >>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev >>> >>> _______________________________________________ cbi-dev mailing >>> list cbi-dev@xxxxxxxxxxx <mailto:cbi-dev@xxxxxxxxxxx> To change >>> your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/cbi-dev >> >> >> >> _______________________________________________ cbi-dev mailing >> list cbi-dev@xxxxxxxxxxx To change your delivery options, retrieve >> your password, or unsubscribe from this list, visit >> https://dev.eclipse.org/mailman/listinfo/cbi-dev >> > _______________________________________________ > cbi-dev mailing list > cbi-dev@xxxxxxxxxxx > To change your delivery options, retrieve your password, or unsubscribe from this list, visit > https://dev.eclipse.org/mailman/listinfo/cbi-dev
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail