Monday, April 24, 2017

Host your own eclipse signing server

We handled signing plugins with tycho some time ago already. When working in a larger company you might want to keep your certificates and passphrases hidden from your developers. For such a scenario a signing server could come in handy.

The eclipse CBI project provides such a server which just needs to get configured in the right way. Mikael Barbero posted a short howto on the mailing list, which should contain all you need. For a working setup example follow this tutorial.

To have a test vehicle for signing we will reuse the tycho 4 tutorial source files.

Step 1: Get the service

Download the latest service snapshot file and store it to a directory called signingService. Next download the test server, we will use it to create a temporary certificate and keystore.

Finally we need a template configuration file. Download it and store it to signingService/jar-signing-service.properties.

Step 2: A short test drive

Open a console and change into the signingService folder. There execute:
java -cp jar-signing-service-1.0.0-20170331.204711-10.jar:jar-signing-service-1.0.0-20170331.204711-10-tests.jar org.eclipse.cbi.webservice.signing.jar.TestServer
You should get some output giving you the local address of the signing service as long as the certificate store used:
Starting test signing server at http://localhost:3138/jarsigner
Dummy certificates, temporary files and logs are stored in folder: /tmp/TestServer-2590700922068591564
Jarsigner executable is: /opt/oracle-jdk-bin-1.8.0.121/bin/jarsigner
We are not ready yet to sign code, but at least we can test if the server is running correctly. If you try to connect with a browser you should get a message that HTTP method GET is not supported by this URL.

Step 3: Preparing the tycho project

We need some changes to our tycho project so it can make use of the signing server. Get the sources of the tycho 4 tutorial (checking out from git is fully sufficient) and add following code to com.codeandme.tycho.releng/pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

 <properties>
  <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 </properties>

 <pluginRepositories>
  <pluginRepository>
   <id>cbi</id>
   <url>https://repo.eclipse.org/content/repositories/cbi-releases/</url>
  </pluginRepository>
 </pluginRepositories>

 <build>
  <plugins>
   <!-- enable jar signing -->
   <plugin>
    <groupId>org.eclipse.cbi.maven.plugins</groupId>
    <artifactId>eclipse-jarsigner-plugin</artifactId>
    <version>${eclipse.jarsigner.version}</version>
    <executions>
     <execution>
      <id>sign</id>
      <goals>
       <goal>sign</goal>
      </goals>
      <phase>verify</phase>
     </execution>
    </executions>
    <configuration>
     <signerUrl>http://localhost:3138/jarsigner</signerUrl>
    </configuration>
   </plugin>
   
  </plugins>
 </build>
</project>
The code above shows purely additions to the pom.xml, no sections were removed or replaced.

You may try to build your project with maven already. As I had problems to connect to https://timestamp.geotrust.com/tsa my local build failed, even if maven reported SUCCESS.

Step 4: Configuring a productive instance

So lets get productive. Setting up your keystore with your certificates will not be handled by this tutorial, so I will reuse the keystore created by the test instance. Copy the keystore.jks file from the temp folder to the signingService folder. Then create a text file keystore.pass:
echo keystorePassword >keystore.pass

Now we need to adapt the jar-signing-service.properties file to our needs:
### Example configuration file

server.service.pathspec=/jarsigner
server.service.pathspec.versioned=false

jarsigner.bin=/opt/oracle-jdk-bin-1.8.0.121/bin/jarsigner

jarsigner.keystore=/somewhere/signingService/keystore.jks
jarsigner.keystore.password=/somewhere/signingService/keystore.pass
jarsigner.keystore.alias=acme.org

jarsigner.tsa=http://timestamp.entrust.net/TSS/JavaHttpTS

  • By setting the versioned flag to false in line 4 we simplify the service web address (details can be found in the sample properties file).
  • Set the jarsigner executable path in line 6 according to your local environment.
  • Lines 8-10 contain details about the keystore and certificate to use, you will need to adapt them, but above settings should result in a working build.
  • The change in line 12 was necessary at the time of writing this tutorial because of connection problems to https://timestamp.geotrust.com/tsa.
Run your service using
java -jar jar-signing-service-1.0.0-20170331.204711-10.jar
Remember that your productive instance now runs on port 8080, so adapt your pom.xml accordingly.

1 comment:

  1. Thanks Christian for this very nice tutorial.

    Note that we've faced the issue with Geotrust as well (https://bugs.eclipse.org/bugs/show_bug.cgi?id=515402). Symantec/Geotrust removed the usual https://timestamp.geotrust.com/tsa (see https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=ALERT2248 for details). The replacement URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp

    ReplyDelete