[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cbi-dev] Signing service maven plugin
|
Good catch Denis! That would get the job done.
> Le 2 févr. 2016 à 16:02, Denis Roy <denis.roy@xxxxxxxxxxx> a écrit :
>
> Jetty supports basic authentication, similarly to apache httpd, which
> makes it easy for clients to authenticate. It's not the most secure
> method (even over https) but it would get the job done:
>
> https://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html
>
>
>
>
> On 02/02/2016 03:27 AM, Mikael Barbero wrote:
>> Right. The service runs within our private LAN and that's how we
>> handle "authentication". If you add an authentication layer, that
>> would be a fantastic contribution. I'm not certain we will use at
>> Eclipse, but this is definitely something that would be interesting
>> for several corporate users.
>>
>> Cheers, Mikael
>>
>>> Le 2 févr. 2016 à 09:06, Christian Pontesegger
>>> <christian.pontesegger@xxxxxx
>>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>>>
>>> Thanks Mikael for the description. I will try to implement this
>>> on our company infrastructure. I guess for us authentication will
>>> be a topic. Is this something that is interesting for Eclipse? I
>>> guess you are currently accepting connections from eclipse.org
>>> <http://eclipse.org> servers only, right?
>>>
>>> regards Christian
>>>
>>> Am 01.02.2016 um 14:03 schrieb Mikael Barbero:
>>>> I forgot to talk about the response:
>>>>
>>>> HTTP 200 - application/java-archive (Content-Disposition
>>>> attachment) - The signed Jar. HTTP 400 - text/plain - the error
>>>> message about the invalid parameter
>>>>
>>>> Cheers, Mikael
>>>>
>>>>> Le 1 févr. 2016 à 13:52, Mikael Barbero
>>>>> <<mailto:mikael@xxxxxxxxxxx>mikael@xxxxxxxxxxx> a écrit :
>>>>>
>>>>> Hi Christian,
>>>>>
>>>>> Thank you for the kind words.
>>>>>
>>>>> Yes, it is possible to setup such a service on your own
>>>>> infrastructure. There is no documentation per se about the
>>>>> server API, but you can guess it easily from the simple
>>>>> single signing servlet
>>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/src/main/java/org/eclipse/cbi/webservice/signing/jar/SigningServlet.java>
>>>>> which is used.
>>>>>
>>>>> The signing service has a single POST operation (the name of
>>>>> this operation is configurable in the properties file, more
>>>>> on that later). It has several parameters:
>>>>>
>>>>> * *file* - in formData - required - The jar file to be
>>>>> signed * *digestalg* - in query - optional - The digest
>>>>> algoritm to be used to sign the jar. See -digestalg option at
>>>>> Oracle documentation
>>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>>> for more information. The valid values are (if the
>>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>>> tells to the remote signing webservice to use its default
>>>>> digest algorithm to sign the jar o /MD2/ o /MD5/ o /SHA_1/ o
>>>>> /SHA1/ Use this value if you need to be compatible with some
>>>>> old frameworks (e.g., Eclipse Equinox 3.7 / Indigo). Use
>>>>> SHA_1 otherwise. o /SHA_224/ o /SHA_256/ o /SHA_384/ o
>>>>> /SHA_512/ * *sigalg* - in query - optional - The signature
>>>>> algoritm to be used to sign the jar. See -sigalg option at
>>>>> Oracle documentation
>>>>> <http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jarsigner.html#CCHBEDDF>
>>>>> for more information. The valid values are (if the
>>>>> configured jarsigner is from Java 8 - advised): o /DEFAULT/,
>>>>> tells to the remote signing webservice to use its default
>>>>> digest algorithm to sign the jar o /NONEwithRSA/ o
>>>>> /MD2withRSA/ o /MD5withRSA/ o /SHA1withRSA/ o
>>>>> /SHA224withRSA/ o /SHA256withRSA/ o /SHA384withRSA/ o
>>>>> /SHA512withRSA/ o /SHA1withDSA/ o /SHA224withDSA/ o
>>>>> /SHA256withDSA/ o /NONEwithECDSA/ o /SHA1withECDSA/ o
>>>>> /SHA224withECDSA/ o /SHA256withECDSA/ o /SHA384withECDSA/ o
>>>>> /SHA512withECDSA/
>>>>>
>>>>>
>>>>> You can install the server on a machine by downloading the
>>>>> latest snapshot
>>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&v=LATEST>
>>>>> build of the single jar webservice (it embeds Jetty). I plan
>>>>> to do a release shortly after all the dependencies have been
>>>>> IP approved.
>>>>>
>>>>> You can start the server with a simple "java -jar
>>>>> jar-signing-service-VERSION.jar" (Java 8 required). It will
>>>>> look for a configuration file named
>>>>> "jar-signing-service.properties" in the current working
>>>>> directory. You can specify the path and filename of this
>>>>> configuration file with the "-c" option switch: "java -jar
>>>>> jar-signing-service-VERSION.jar -c
>>>>> /path/to/my.config.properties"
>>>>>
>>>>> You will find a sample configuration file (with description
>>>>> about what are the options for) in the git repo
>>>>> <http://git.eclipse.org/c/cbi/org.eclipse.cbi.git/tree/webservice/signing/jar/etc/jar-signing-service.properties>.
>>>>>
>>>>>
> You need to configure some information about the JKS and the
>>>>> certificate to be used for signing. I suppose you're familiar
>>>>> with that part.
>>>>>
>>>>> If you use the eclipse-jarsigner-plugin, you will need to
>>>>> specify the signerUrl parameter
>>>>> <http://www.eclipse.org/cbi/maven-plugins/documentation/1.1.3/eclipse-jarsigner-plugin/sign-mojo.html#signerUrl>
>>>>> to your own service.
>>>>>
>>>>> If you want to try the webservice without creating a
>>>>> certificate and caring about the configuration file, there is
>>>>> a test server in the jar signing service test jar that I use
>>>>> for headless integration testing. Just download this
>>>>> additional jar
>>>>> <https://repo.eclipse.org/service/local/artifact/maven/redirect?r=cbi&g=org.eclipse.cbi&a=jar-signing-service&c=tests&v=LATEST>
>>>>> and run the following command:
>>>>>
>>>>> On Unix or similar
>>>>>
>>>>> java -cp
>>>>> /path/where/you/download/the/jars/jar-signing-service-VERSION.jar:/path/where/you/download/the/jars/jar-signing-service-VERSION-tests.jar
>>>>>
>>>>>
> TestServer
>>>>>
>>>>> On Windows
>>>>>
>>>>> java -cp
>>>>> C:\path\where\you\download\the\jars\jar-signing-service-VERSION.jar;C:\path\where\you\download\the\jars\jar-signing-service-VERSION-tests.jar
>>>>>
>>>>>
> TestServer
>>>>>
>>>>> It will print an URL (like http://localhost:3138/jarsigner)
>>>>> that you can add to your maven build
>>>>> (-Dcbi.jarsigner.signerUrl=<http://localhost:3138/jarsigner>http://localhost:3138/jarsigner)
>>>>>
>>>>>
> and it will sign your jars locally with a dummy certificate. You can
>>>>> pass --help to see the options you can give to the
>>>>> TestServer. This test server has the same REST api as the
>>>>> production one.
>>>>>
>>>>> I hope it will help you with using this project. If you have
>>>>> more questions, please feel free to ask. If you see something
>>>>> that you miss from the current implementation, we are
>>>>> welcoming contributions ;)
>>>>>
>>>>> Cheers, Mikael
>>>>>
>>>>>> Le 29 janv. 2016 à 20:02, Christian Pontesegger
>>>>>> <christian.pontesegger@xxxxxx
>>>>>> <mailto:christian.pontesegger@xxxxxx>> a écrit :
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I like the way eclipse is signing its plugins using the
>>>>>> eclipse-jarsigner-plugin. I wonder if it is possible to
>>>>>> setup such a service in our company, too. Is there
>>>>>> documentation available how the server API works? Is it a
>>>>>> REST API, or how does the backend work?
>>>>>>
>>>>>> Further it would be interesting to get the source code to
>>>>>> eventually add some additional functionality like
>>>>>> authenticating to the signing server first.
>>>>>>
>>>>>> thanks Christian
>>>>>>
>>>>>> _______________________________________________ cbi-dev
>>>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery
>>>>>> options, retrieve your password, or unsubscribe from this
>>>>>> list, visit
>>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>>>
>>>>> _______________________________________________ cbi-dev
>>>>> mailing list cbi-dev@xxxxxxxxxxx
>>>>> <mailto:cbi-dev@xxxxxxxxxxx> To change your delivery options,
>>>>> retrieve your password, or unsubscribe from this list, visit
>>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________ cbi-dev mailing
>>>> list cbi-dev@xxxxxxxxxxx To change your delivery options,
>>>> retrieve your password, or unsubscribe from this list, visit
>>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>>
>>> _______________________________________________ cbi-dev mailing
>>> list cbi-dev@xxxxxxxxxxx <mailto:cbi-dev@xxxxxxxxxxx> To change
>>> your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>
>>
>>
>> _______________________________________________ cbi-dev mailing
>> list cbi-dev@xxxxxxxxxxx To change your delivery options, retrieve
>> your password, or unsubscribe from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/cbi-dev
>>
> _______________________________________________
> cbi-dev mailing list
> cbi-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/cbi-dev
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail