Automatic "safe" code signing

Question

Automatic "safe" code signing

I want to configure tasks on our server (Jenkins) to automatically sign the generated jars.

For obvious reasons, I don’t want to put the certificate and credentials in the version control or even read in the job configuration.

Ideally, I want to have some kind of "signature server" where the build server can send the bank for signing.

According to the documentation, the Eclipse project has such a system . But there is no mention of the technology that they use.

Does anyone know about a “singing solution” or another way to solve this problem?

+7

code-signing jar-signing

elmuerte Aug 13 '12 at 8:57

source share

2 answers

Victor ronin · Answer 1 · 2012-08-23T17:43:40+0000

I am not sure about the existing solution. However, I think you can create your own solution within a day:

Machine A will run Jenkins and have a shared folder. Machine B will launch any application / web server (e.g. Apache + PHP) and has signatures.

As part of Jenkins’s assignment, you perform the following actions: a) Copy banks to the shared folder b) Run the shell script "wget http: //machineBURL/sign.php? Filename = SomeJar.jar"

On machine B, you will receive a PHP script that will receive the transferred file name, receive the jar with that file name from the shared folder, sign it, and return it to the same folder.

Ted shaw · Answer 2 · 2012-08-24T05:53:08+0000

Eclispe WIKI documented the process, for short

Using scp, copy the eclipse-master - $ {buildId} .zip file to the eclipse.org intermediate signing zone using pserver.

<exec dir="${packtmp}" executable="scp" output="signing.txt"> <arg line="${archiveName} dev.eclipse.org:${stagingDirectory}"/> </exec>

Call the signature script / usr / bin / sign on the signature server.

<exec dir="." executable="ssh" output="signing.txt" append="true"> <arg line="build.eclipse.org "cd ${stagingDirectory}; /usr/bin/sign ${stagingDirectory}/${archiveName} mail ${stagingDirectoryOutput}""/> </exec>

Interrogate the server for the signed file in the output directory.

<exec dir="." executable="scp" output="signing.txt" append="true"> <arg line="dev.eclipse.org:${stagingDirectory}/${buildId}-out/${archiveName} ${buildDirectory}/${buildLabel}"/> </exec>

Automatic "safe" code signing

More articles: