The eclipse CBI project provides such a server which just needs to get configured in the right way. Mikael Barbero posted a short howto on the mailing list, which should contain all you need. For a working setup example follow this tutorial.
To have a test vehicle for signing we will reuse the tycho 4 tutorial source files.
Step 1: Get the service
Download the latest service snapshot file and store it to a directory called signingService. Next download the test server, we will use it to create a temporary certificate and keystore.
Finally we need a template configuration file. Download it and store it to signingService/jar-signing-service.properties.
Step 2: A short test drive
Open a console and change into the signingService folder. There execute:
java -cp jar-signing-service-1.0.0-20170331.204711-10.jar:jar-signing-service-1.0.0-20170331.204711-10-tests.jar org.eclipse.cbi.webservice.signing.jar.TestServerYou should get some output giving you the local address of the signing service as long as the certificate store used:
Starting test signing server at http://localhost:3138/jarsigner Dummy certificates, temporary files and logs are stored in folder: /tmp/TestServer-2590700922068591564 Jarsigner executable is: /opt/oracle-jdk-bin-1.8.0.121/bin/jarsignerWe are not ready yet to sign code, but at least we can test if the server is running correctly. If you try to connect with a browser you should get a message that HTTP method GET is not supported by this URL.
Step 3: Preparing the tycho project
We need some changes to our tycho project so it can make use of the signing server. Get the sources of the tycho 4 tutorial (checking out from git is fully sufficient) and add following code to com.codeandme.tycho.releng/pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <pluginRepositories> <pluginRepository> <id>cbi</id> <url>https://repo.eclipse.org/content/repositories/cbi-releases/</url> </pluginRepository> </pluginRepositories> <build> <plugins> <!-- enable jar signing --> <plugin> <groupId>org.eclipse.cbi.maven.plugins</groupId> <artifactId>eclipse-jarsigner-plugin</artifactId> <version>${eclipse.jarsigner.version}</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> <phase>verify</phase> </execution> </executions> <configuration> <signerUrl>http://localhost:3138/jarsigner</signerUrl> </configuration> </plugin> </plugins> </build> </project>The code above shows purely additions to the pom.xml, no sections were removed or replaced.
You may try to build your project with maven already. As I had problems to connect to https://timestamp.geotrust.com/tsa my local build failed, even if maven reported SUCCESS.
Step 4: Configuring a productive instance
So lets get productive. Setting up your keystore with your certificates will not be handled by this tutorial, so I will reuse the keystore created by the test instance. Copy the keystore.jks file from the temp folder to the signingService folder. Then create a text file keystore.pass:
echo keystorePassword >keystore.pass
Now we need to adapt the jar-signing-service.properties file to our needs:
### Example configuration file server.service.pathspec=/jarsigner server.service.pathspec.versioned=false jarsigner.bin=/opt/oracle-jdk-bin-1.8.0.121/bin/jarsigner jarsigner.keystore=/somewhere/signingService/keystore.jks jarsigner.keystore.password=/somewhere/signingService/keystore.pass jarsigner.keystore.alias=acme.org jarsigner.tsa=http://timestamp.entrust.net/TSS/JavaHttpTS
- By setting the versioned flag to false in line 4 we simplify the service web address (details can be found in the sample properties file).
- Set the jarsigner executable path in line 6 according to your local environment.
- Lines 8-10 contain details about the keystore and certificate to use, you will need to adapt them, but above settings should result in a working build.
- The change in line 12 was necessary at the time of writing this tutorial because of connection problems to https://timestamp.geotrust.com/tsa.
java -jar jar-signing-service-1.0.0-20170331.204711-10.jarRemember that your productive instance now runs on port 8080, so adapt your pom.xml accordingly.