I want to set up the jobs in our buildserver (Jenkins) to automatically sign the generated jars.
For obvious reasons I do not want to put the certificate and credentials in the version control, or even readable in the job configuration.
Ideally I want to have some kind of "signing server" where the buildserver can send a jar to, to be signed.
According to the documentation the Eclipse project has a system like that. But there's no mention on the technology they use.
So does anybody know of a "singing server" solution, or a different way to solve this problem?
Regular Code Signing – both gives secure environment to developers for their software codes. EV code signing keeps the private key secret using hardware token whereas in Regular code signing the private key is not provided in a separate external drive.
If you don't use Microsoft Visual Studio 2012 to create and sign your app packages, you need to create and manage your own code signing certificates. You can create certificates by using MakeCert.exe and Pvk2Pfx.exe from the Windows Driver Kit (WDK).
Code signing is used on Windows and Mac OS X to authenticate software on first run, ensuring that the software has not been maliciously tampered with by a third-party distributor or download site.
Code signing is a method of putting a digital signature on a program, file, software update or executable, so that its authenticity and integrity can be verified upon installation and execution. Like a wax seal, it guarantees to the recipient who the author is, and that it hasn't been opened and tampered with.
I am not sure about existing solution. However, I think you can build a solution on your own within a day:
Machine A will run Jenkins and have a shared folder Machine B will run any application/web server (as example Apache + PHP) and which has signing keys.
As part of Jenkins job you do following actions: a) Copy jars to shared folder b) Run shell script "wget http:// machineBURL /sign.php?filename=SomeJar.jar"
On Machine B you will have PHP script, which will get a passed filename, get the jar with this filename from shared folder, sign it and put it back in the same folder.
Eclispe WIKI documented the sign process, for short
<exec dir="${packtmp}" executable="scp" output="signing.txt">
<arg line="${archiveName} dev.eclipse.org:${stagingDirectory}"/>
</exec>
<exec dir="." executable="ssh" output="signing.txt" append="true">
<arg line="build.eclipse.org "cd ${stagingDirectory}; /usr/bin/sign ${stagingDirectory}/${archiveName} mail ${stagingDirectoryOutput}""/>
</exec>
<exec dir="." executable="scp" output="signing.txt" append="true">
<arg line="dev.eclipse.org:${stagingDirectory}/${buildId}-out/${archiveName} ${buildDirectory}/${buildLabel}"/>
</exec>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With