[
https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663664#action_12663664
]
Delos Dai commented on GERONIMODEVTOOLS-521:
--------------------------------------------
Ted, sorry for limited information about the patch.
This patch will generate a keystore file first(it will be overrided if
existing) when you trigger build. It can work with both clean and non-clean
mvn builds.
Following is my understanding about eclipse signature mechanism:
Signature for jar is not specific for eclipse plugin. JDK itself provide tools
to generate keys and sign a jar package. The tools are keytool and
jarsign.Eclipse just validate package with this mechanism. Here is another
reference:
http://www.ibm.com/developerworks/opensource/library/os-eclipse-plugin-sigs/index.html?S_TACT=105AGX52&S_CMP=content
About these two parameters
<keystoreKeypass>devtools</keystoreKeypass>
<keystoreStorepass>geronimo</keystoreStorepass>
Eclipse signature mechanism works as X.509 certification process. Here,
"keystoreKeypass" is a password to protect private key for signing the package
and "keystoreStorepass" is a password to access the "keystore" file, which
contains public key and private key and is generated by keytool. Once all the
packages have been signed, "keystore" is no longer used.
When signed with the private key, in META-INF directory of each plugin, there
will two files "eclipse.sf" and "eclipse.dsa". "eclipse.sf" is digest of the
plugin, while "eclipse.dsa" contains the public key and digital signature
generated with private key(maybe encryption). Eclipse can get the digest from
"eclipse.dsa" with public key in it and compare the digest with content of
"eclipse.sf", if they matches, it proves to be valid and not corrupt.
Obviously, we use third certificate here (generated in build), I hope to know
whether it matters?
I agree with you that these two password "keystoreKeypass" and
"keystoreStorepass" shouldn't be public, so I think current issue is how to
avoid the two parameters exposing. Maybe we can dynamic generate the password?
Any opinion?
Hope it help to clarify. Any comments?
> Sign features so the eclipse update manager recognizes them as signed
> ---------------------------------------------------------------------
>
> Key: GERONIMODEVTOOLS-521
> URL:
> https://issues.apache.org/jira/browse/GERONIMODEVTOOLS-521
> Project: Geronimo-Devtools
> Issue Type: Bug
> Components: eclipse-plugin
> Affects Versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3
> Reporter: Ted Kirby
> Assignee: Tim McConnell
> Fix For: 2.2.0
>
> Attachments: 521.patch, 521_updated.patch
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
