You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/06/09 17:11:39 UTC

[tomcat] branch 9.0.x updated: Integrate JSign for cross-platform builds with signed Windows binaries

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new f2091bf  Integrate JSign for cross-platform builds with signed Windows binaries
f2091bf is described below

commit f2091bf8b027fefb4a82f26cdba6a806d19301e3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 9 17:36:25 2021 +0100

    Integrate JSign for cross-platform builds with signed Windows binaries
    
    Big thanks due to ebourg
---
 build.properties.default   | 18 ++++++++++++--
 build.xml                  | 59 +++++++++++++++++++++++++++++-----------------
 webapps/docs/changelog.xml |  8 +++++++
 3 files changed, 61 insertions(+), 24 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 7838db8..2667fdf 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -77,9 +77,11 @@ org.apache.tomcat.util.net.NioSelectorShared=true
 gpg.exec=/path/to/gpg
 
 # Code signing of Windows installer
+# See https://infra.apache.org/digicert-use.html for setup instructions
 do.codesigning=false
-codesigning.exec=signtool.exe
-codesigning.certificate.thumbprint=5a606116432aba614c246d15e792f9e4bcf19cbf
+codesigning.pkcs11properties=${user.home}/.digicertone/pkcs11properties.cfg
+codesigning.alias=Tomcat-PMC-key-2021-04
+codesigning.digest=SHA-512
 
 # ----- Settings to use when downloading files -----
 trydownload.httpusecaches=true
@@ -311,3 +313,15 @@ osgi-annotations.checksum.value=153054f987534244f95a399539b11375|b6e802bceba0682
 osgi-annotations.home=${base.path}/osgi-annotations-${osgi-annotations.version}
 osgi-annotations.jar=${osgi-annotations.home}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar
 osgi-annotations.loc=${base-maven.loc}/org/osgi/org.osgi.annotation.bundle/${osgi-annotations.version}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar
+
+# ----- JSign, version 3.1 or later -----
+jsign.version=3.1
+
+# checksums for JSign 3.1
+jsign.checksum.enable=true
+jsign.checksum.algorithm=MD5|SHA-1
+jsign.checksum.value=ed924fc86b7abe1dfe22fd8fd7e4c417|5736035f64805b2760a41ebc1ff11523f666f2c7
+
+jsign.home=${base.path}/jsign-${jsign.version}
+jsign.jar=${jsign.home}/jsign-${jsign.version}.jar
+jsign.loc=${base-maven.loc}/net/jsign/jsign/${jsign.version}/jsign-${jsign.version}.jar
diff --git a/build.xml b/build.xml
index d1eb1c2..32c59ef 100644
--- a/build.xml
+++ b/build.xml
@@ -2604,18 +2604,15 @@ skip.installer property in build.properties" />
   </target>
 
   <target name="-installer-sign-uninstaller"
-      unless="skip.installer" depends="-installer-create-uninstaller"
+      unless="skip.installer" depends="-installer-create-uninstaller,setup-jsign"
       if="${do.codesigning}">
-    <exec executable="${codesigning.exec}" failonerror="true">
-      <arg value="sign"/>
-      <arg value="/sha1"/>
-      <arg value="${codesigning.certificate.thumbprint}"/>
-      <arg value="/fd"/>
-      <arg value="sha512"/>
-      <arg value="/tr"/>
-      <arg value="http://timestamp.digicert.com"/>
-      <arg value="${tomcat.dist}/Uninstall.exe"/>
-    </exec>
+    <jsign file="${tomcat.dist}/Uninstall.exe"
+        keystore="${codesigning.pkcs11properties}"
+        storepass="NONE"
+        storetype="PKCS11"
+        alias="${codesigning.alias}"
+        alg="${codesigning.digest}"
+        tsaurl="http://timestamp.digicert.com"/>
   </target>
 
   <target name="-installer" unless="skip.installer"
@@ -2637,17 +2634,14 @@ skip.installer property in build.properties" />
 
   <target name="installer-sign"
       description="Builds and optionally signs the Windows installer"
-      depends="-installer" if="${do.codesigning}" >
-    <exec executable="${codesigning.exec}" failonerror="true">
-      <arg value="sign"/>
-      <arg value="/sha1"/>
-      <arg value="${codesigning.certificate.thumbprint}"/>
-      <arg value="/fd"/>
-      <arg value="sha512"/>
-      <arg value="/tr"/>
-      <arg value="http://timestamp.digicert.com"/>
-      <arg value="${tomcat.release}/v${version}/bin/${final.name}.exe"/>
-    </exec>
+      depends="-installer,setup-jsign" if="${do.codesigning}" >
+    <jsign file="${tomcat.release}/v${version}/bin/${final.name}.exe"
+        keystore="${codesigning.pkcs11properties}"
+        storepass="NONE"
+        storetype="PKCS11"
+        alias="${codesigning.alias}"
+        alg="${codesigning.digest}"
+        tsaurl="http://timestamp.digicert.com"/>
     <!-- .exe has changed so need to redo checksums and OpenPGP signature -->
     <delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.asc" />
     <delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.sha512" />
@@ -3689,6 +3683,27 @@ Read the Building page on the Apache Tomcat documentation site for details on ho
 
   <!-- ======================= Macros, Taskdefs etc ======================== -->
 
+  <target name="download-jsign" >
+    <!-- Download jsign -->
+    <antcall target="downloadfile">
+      <param name="sourcefile" value="${jsign.loc}"/>
+      <param name="destfile" value="${jsign.jar}"/>
+      <param name="destdir" value="${jsign.home}"/>
+      <param name="checksum.enabled" value="${jsign.checksum.enabled}"/>
+      <param name="checksum.algorithm" value="${jsign.checksum.algorithm}"/>
+      <param name="checksum.value" value="${jsign.checksum.value}"/>
+    </antcall>
+  </target>
+
+  <target name="setup-jsign" depends="download-jsign">
+    <!-- Add jsign tasks to project -->
+    <path id="jsign.classpath">
+      <fileset file="${jsign.jar}" />
+    </path>
+
+    <taskdef name="jsign" classname="net.jsign.JsignTask" classpathref="jsign.classpath" />
+  </target>
+
   <target name="download-bnd" >
     <!-- Download bnd -->
     <antcall target="downloadfile">
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9671b9e..745ed84 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Other">
+    <changelog>
+      <add>
+        Use JSign to integrate the build script with the code signing service to
+        enable release builds to be created on Linux as well as Windows. (markt)
+      </add>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.47 (remm)" rtext="not released">
   <subsection name="Catalina">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org