automated "secure" code signing

Question

I want to set up the jobs in our buildserver (Jenkins) to automatically sign the generated jars.

For obvious reasons I do not want to put the certificate and credentials in the version control, or even readable in the job configuration.

Ideally I want to have some kind of "signing server" where the buildserver can send a jar to, to be signed.

According to the documentation the Eclipse project has a system like that. But there's no mention on the technology they use.

So does anybody know of a "singing server" solution, or a different way to solve this problem?

Answer 1

I am not sure about existing solution. However, I think you can build a solution on your own within a day:

Machine A will run Jenkins and have a shared folder Machine B will run any application/web server (as example Apache + PHP) and which has signing keys.

As part of Jenkins job you do following actions: a) Copy jars to shared folder b) Run shell script "wget http:// machineBURL /sign.php?filename=SomeJar.jar"

On Machine B you will have PHP script, which will get a passed filename, get the jar with this filename from shared folder, sign it and put it back in the same folder.

Answer 2

Eclispe WIKI documented the sign process, for short

• Use scp to copy the eclipse-master-${buildId}.zip to the eclipse.org signing staging area using pserver.

<exec dir="${packtmp}" executable="scp" output="signing.txt"> <arg line="${archiveName} dev.eclipse.org:${stagingDirectory}"/> </exec>

• Invoke the signing script /usr/bin/sign on signing server.

<exec dir="." executable="ssh" output="signing.txt" append="true"> <arg line="build.eclipse.org "cd ${stagingDirectory}; /usr/bin/sign ${stagingDirectory}/${archiveName} mail ${stagingDirectoryOutput}""/> </exec>

• Poll the server for the signed file in the output directory.

<exec dir="." executable="scp" output="signing.txt" append="true"> <arg line="dev.eclipse.org:${stagingDirectory}/${buildId}-out/${archiveName} ${buildDirectory}/${buildLabel}"/> </exec>