You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by "Corridor Software Developer (JIRA)" <ji...@codehaus.org> on 2005/10/07 23:45:11 UTC
[jira] Created: (MNG-1130) Support jar signing.
Support jar signing.
--------------------
Key: MNG-1130
URL: http://jira.codehaus.org/browse/MNG-1130
Project: Maven 2
Type: New Feature
Components: maven-jar-plugin
Versions: 2.0-beta-3
Environment: gentoo linux, jdk 1.4.2_06
Reporter: Corridor Software Developer
The Java webstart framework requires that jars used by a webstart application be signed.
Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
This functionality is required prior to finishing the webstart-maven-plugin.
Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
Slightly updated when I worked on support for jarsigner -verify.
verify support comes in a separate patch.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
2nd version of the patch.
This adds:
- make sure we don't hang if jarsigner asks for some input
- add documentation
- fix unit tests
- add the missing Mojo class as part of my previous patch :)
I believe this to be ready for review/checkin.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: [jira] Commented: (MNG-1130) Support jar signing.
Posted by Steve Loughran <st...@apache.org>.
>>Support jar signing.
>>--------------------
>>
>> Key: MNG-1130
>> URL: http://jira.codehaus.org/browse/MNG-1130
>> Project: Maven 2
>> Type: New Feature
>> Components: maven-jar-plugin
>> Versions: 2.0-beta-3
>> Environment: gentoo linux, jdk 1.4.2_06
>> Reporter: Corridor Software Developer
>> Attachments: mng-1130.tar.gz
>>
>>
>>The Java webstart framework requires that jars used by a webstart application be signed.
>>Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
>>The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
>>This functionality is required prior to finishing the webstart-maven-plugin.
>>Two example test projects will be attached to the ticket shortly.
>
>
this is just a heads upm that I believe signed JNLP JAR files are
vulnerable to attack, because the jnlp descriptor itself is not
authenticated, and runs any main class in the entire suite of JARs. So
you need to be sure that all JARs that you sign do not contain static
main methods, or any of them can run on the users's box with the rights
you are granted. Not good.
I dont have a proof of concept yet, but am starting to code the tool to
search a jar for entry points for this very reason; then parse a jnlp to
look for back doors in its jars. I currently do not consider signing and
distributing any third party apps a sensible action.
-Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48505 ]
Jerome Lacoste commented on MNG-1130:
-------------------------------------
In your 1st example pom (for the jar packaging), you specify the following config:
<configuration>
<keystore></keystore>
<password></password>
<type><type>
<alias></alias>
<validity></validity>
<dname-cn></dname-cn>
<dname-ou></dname-ou>
<dname-o></dname-o>
<dname-l></dname-l>
<dname-s></dname-s>
<dname-c></dname-c>
</configuration>
What have the dname values to do with the sign operation? These are only related to JNLP, right?
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: jar-sign-verify.diff
The support for sign-verify.
Comes with unit tests and updated docs for the jar plugin.
Must be applied after the latest MNG-1130-jar-sign.diff patch
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Corridor Software Developer (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Corridor Software Developer updated MNG-1130:
---------------------------------------------
Attachment: mng-1130.tar.gz
rough ideas of how plugin configurations would appear.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48501 ]
Jerome Lacoste commented on MNG-1130:
-------------------------------------
taking
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Closed: (MNG-1130) Support jar signing.
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Brett Porter closed MNG-1130:
-----------------------------
Assign To: Brett Porter
Resolution: Fixed
Fix Version: 2.0.1
applied, thanks
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130_jar-sign-verify.diff
Updated patch.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130_jar-sign-verify.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Reopened: (MNG-1130) Support jar signing.
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Brett Porter reopened MNG-1130:
-------------------------------
forgot to apply jar-sign-verify.diff. needs to be updated to apply.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48544 ]
Jerome Lacoste commented on MNG-1130:
-------------------------------------
ok I updated my code based on your comments. The only bad point is that I don't have proper unit tests.
The only thing I could test if the CommandLine looks correct, but the commandline relies so much on the environment (in terms of paths) that in practice, it means doing a lot of work for not much. I have a pom.xml in src/main/resources/sign-0/pom.xml that I currently use to do a manual functional test. Not sure how to automate this one (as it will be far from being a real unit test).
Attaching soon here.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130_jar-sign-verify.diff
Even better when I don't forget the documentation... Updated the updated patch.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MJAR-9) Support jar signing.
Posted by "Turadg Aleahmad (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MJAR-9?page=comments#action_55446 ]
Turadg Aleahmad commented on MJAR-9:
------------------------------------
This may not be the place, but can anyone tell me how to use this functionality?
> Support jar signing.
> --------------------
>
> Key: MJAR-9
> URL: http://jira.codehaus.org/browse/MJAR-9
> Project: Maven 2.x Jar Plugin
> Type: New Feature
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Corridor Software Developer (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48513 ]
Corridor Software Developer commented on MNG-1130:
--------------------------------------------------
Brought them over from the keystore settings properties of the maven 1 jnlp plugin. I thought it was a little strange since you use them when creating a keystore with the keytool, not actual signing. If they don't make sense to have, then feel free to discard them. The format of the configuration, where the goal is located, etc are all flexible at this point.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
Update:
- sync with trunk (pom.xml)
- make sure the properties have public setters so that I can reuse the mojo from the webstart-maven-plugin.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
Changes:
- Added a jarPath attribute.
Code is succesfully reused within the webstart-maven-plugin. Please review.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Closed: (MNG-1130) Support jar signing.
Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Emmanuel Venisse closed MNG-1130:
---------------------------------
Resolution: Fixed
Applied
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Corridor Software Developer (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48541 ]
Corridor Software Developer commented on MNG-1130:
--------------------------------------------------
Suggested Answers:
1) JarSignMojo is a good name.
2) Putting the signed jar at
${project.build.directory}/signed/${project.build.finalName}.jar seems the
most appropriate place. I would make this the default.
3) I'd let the jar signer check it's own parameters, but anything added
as a result of wrapping it with m2 ought to be checked. But no need to
double check something the jar signer validates unless the error message
is too obscure.
4) You should definately detect and fail if the jarsigner attempts to
prompt for password input. At the very least for the first beta you should
require a password so the scenario doesn't exist. Quietly hanging the
build won't go over very well :)
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48529 ]
Jerome Lacoste commented on MNG-1130:
-------------------------------------
I have a working mojo. I need some feedback on how to improve/clean it up it before submitting it. Want to answer the following questions?
- use a good name: JarSignMojo vs SignJarMojo ?
- where should the signed jar should be produced. Right now I don't have a default location.
I use a signedjar parameter which I've configured to
<signedjar>${project.build.directory}/signed/${project.build.finalName}.jar</signedjar>
in my tests.
- should one perform parameter checkin or should we let jarsigner do it for us?
- jarsigner has the stupid habit of asking questions when a password parameter is missing. I don't like this, it hangs the build, without output (I didn't redirect system.in to the output). Should we try to detect the issue, maybe redirect the question to the visible output and auto-resolve it (e.g. add garbage to System.in). That would be an improvement, not required for a first version.
Feel free to pop up on #maven.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Corridor Software Developer (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48549 ]
Corridor Software Developer commented on MNG-1130:
--------------------------------------------------
https://svn.codehaus.org/mojo/trunk/mojo/mojo-sandbox/netbeans-freeform-maven-plugin/
is a better example. Demonstrates tests with multiple test projects.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130_jar-sign-verify.diff
3rd update after svn plugins directory was moved into new module
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Assignee: Brett Porter
> Fix For: 2.0.1
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, MNG-1130_jar-sign-verify.diff, jar-sign-verify.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
This is my current state of the implementation.
Things lacking:
- documentation
- unit tests. I've wondered what to implement. I believe I should just validate commandline correctness. That sounds like the easiest to do.
Unfortunately that is currently a little bit too tight to the environment (we resolve the full jarsigner path, and it is platform specific)
Another way would be to do more complex functional testing, like in the netbeans mojo plugin, but in our case we generate a binary not a text file.
So validating the signed jar file could be done using "jarsigner -verify -certs -verbose", but the resulting output needs a lot of parsing to be validated (in particular date handling etc). Sounds like a lot of trouble.
I would then go for simple command line validation if noone has a better idea
- implementation is currently limited to keystore with keypass. Otherwise we have the risk of jarsigner using System.in to ask for a password to the user. The current implementation would hang. Better to avoid it.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-1130) Support jar signing.
Posted by "Jerome Lacoste (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=all ]
Jerome Lacoste updated MNG-1130:
--------------------------------
Attachment: MNG-1130-jar-sign.diff
Some more improvements:
- made keystore non required
- added errBuffer management. (will add error to thrown exception)
- use createArgument().setValue() instead of setLine() to not break quoted arguments
- fixed mkdirs when signedjar is not null (should never happen as it is a required parameter), and getParentFile() is null
(may happen if relative path used)
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, MNG-1130-jar-sign.diff, mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-1130) Support jar signing.
Posted by "Corridor Software Developer (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-1130?page=comments#action_48547 ]
Corridor Software Developer commented on MNG-1130:
--------------------------------------------------
The jpox plugin on the mojo site has an example of an automated unit test. Check it out of svn:
https://svn.codehaus.org/mojo/trunk/mojo/jpox-maven-plugin/
and look under src/test/java and src/test/projects.
My assumption is that the test projects I attached to the ticket would reside under src/test/projects and could be called from a JUnit test in src/test/java. JpoxEnhancerMojoTest shows how to do this. Trygve knows of another good source as well, but I've since forgotten which project it was.
> Support jar signing.
> --------------------
>
> Key: MNG-1130
> URL: http://jira.codehaus.org/browse/MNG-1130
> Project: Maven 2
> Type: New Feature
> Components: maven-jar-plugin
> Versions: 2.0-beta-3
> Environment: gentoo linux, jdk 1.4.2_06
> Reporter: Corridor Software Developer
> Attachments: mng-1130.tar.gz
>
>
> The Java webstart framework requires that jars used by a webstart application be signed.
> Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
> The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
> This functionality is required prior to finishing the webstart-maven-plugin.
> Two example test projects will be attached to the ticket shortly.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org