开发者

Jar Signing Strategy in Maven Projects

问答 作者:

We have several maven proje开发者_如何学Gocts, which are built on the build server. In some cases we want to sign our deliverables. We use Maven Jarsigner Plugin to do that.

We face the following questions:

  • Where should we store the passwords for signing?
  • What is a good strategy for signing maven projects?

We don't want to put our keystore somewhere on our servers and hardcode a path to it. So we just wrapped this keystore in a jar and uploaded it as an artifact to our inner maven repository. When we want to sign a maven project, we download the keystore artifact using the Maven Dependency Plugin and attach signing goal to maven build lifecycle. Here is more detailed information.

In order to hide the passwords for the keystore, we put them into our corporate pom.xml file. We also think about storing passwords in settings.xml on the build server.

When a project is built and signed on a developer machine, we sign it with self-signed certificate. But when project is built and signed on a build server, we sign it with our "official" certificate.

Is it a good strategy?

I use 2 keystores:

  • a development keystore which is stored in the SCM. The CI server can thus sign the snapshots.
  • a production keystore with a real production certificate issued by a trusted certification authority.

The development keystore password is in the pom.xml. Here is a snippet of my pom.xml:

  <plugin>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.2</version>
    <configuration>
      <storetype>${keystore.type}</storetype>
      <keystore>${keystore.path}</keystore>
      <alias>${keystore.alias}</alias>
      <storepass>${keystore.store.password}</storepass>
      <keypass>${keystore.key.password}</keypass>
    </configuration>
  </plugin>
  <!-- 
      ... rest of the pom.xml ...
  -->
  <properties>
    <keystore.path>cert/temp.keystore</keystore.path>
    <keystore.type>JKS</keystore.type>
    <keystore.alias>dev</keystore.alias>
    <keystore.password>dev_password</keystore.password>
    <keystore.store.password>${keystore.password}</keystore.store.password>
    <keystore.key.password>${keystore.password}</keystore.key.password>
  </properties>

In ~/.m2/settings.xml I defined a codesgining profile:

<settings>
  <profiles>
    <profile>
      <id>codesigning</id>
      <properties>
        <keystore.path>/opt/prod/prod.keystore</keystore.path> 
        <keystore.alias>prod</keystore.alias>
        <keystore.type>JKS</keystore.type>
        <keystore.store.password>${keystore.password}</keystore.store.password>
        <keystore.key.password>${keystore.password}</keystore.key.password>
      </properties>
    </profile>
  </profiles>
</settings>

when I want to sign the real certificate I invoke maven with the -Pcodesigning -Dkeystore.password=strongPassword parameters. I also configured the maven-release-plugin to use the codesigning profile.

Actually it is possible to store the password in settings.xml as long as the file is readable by nobody but you.

继续阅读:continuous-integrationjarsignermavenmaven-2signing

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9