This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 9f391c9 Integrate JSign for cross-platform builds with signed Windows
binaries
9f391c9 is described below
commit 9f391c998ee9adbc22acce2bbabbc2c6b8fc4172
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jun 9 17:36:25 2021 +0100
Integrate JSign for cross-platform builds with signed Windows binaries
Big thanks due to ebourg
---
build.properties.default | 18 +++++++++++++--
build.xml | 59 ++++++++++++++++++++++++++++++------------------
2 files changed, 53 insertions(+), 24 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 7572888..8cc72bb 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -77,9 +77,11 @@ org.apache.tomcat.util.net.NioSelectorShared=true
gpg.exec=/path/to/gpg
# Code signing of Windows installer
+# See https://infra.apache.org/digicert-use.html for setup instructions
do.codesigning=false
-codesigning.exec=signtool.exe
-codesigning.certificate.thumbprint=5a606116432aba614c246d15e792f9e4bcf19cbf
+codesigning.pkcs11properties=${user.home}/.digicertone/pkcs11properties.cfg
+codesigning.alias=Tomcat-PMC-key-2021-04
+codesigning.digest=SHA-512
# ----- Settings to use when downloading files -----
trydownload.httpusecaches=true
@@ -323,3 +325,15 @@
migration-lib.checksum.value=cecc0fa3b5947dd52465ed395ba3f23f|19a3e36dec08bbc60a
migration-lib.home=${base.path}/migration-${migration-lib.version}
migration-lib.jar=${migration-lib.home}/jakartaee-migration-${migration-lib.version}-shaded.jar
migration-lib.loc=${base-maven.loc}/org/apache/tomcat/jakartaee-migration/${migration-lib.version}/jakartaee-migration-${migration-lib.version}-shaded.jar
+
+# ----- JSign, version 3.1 or later -----
+jsign.version=3.1
+
+# checksums for JSign 3.1
+jsign.checksum.enable=true
+jsign.checksum.algorithm=MD5|SHA-1
+jsign.checksum.value=ed924fc86b7abe1dfe22fd8fd7e4c417|5736035f64805b2760a41ebc1ff11523f666f2c7
+
+jsign.home=${base.path}/jsign-${jsign.version}
+jsign.jar=${jsign.home}/jsign-${jsign.version}.jar
+jsign.loc=${base-maven.loc}/net/jsign/jsign/${jsign.version}/jsign-${jsign.version}.jar
diff --git a/build.xml b/build.xml
index 993f31f..77f9083 100644
--- a/build.xml
+++ b/build.xml
@@ -2622,18 +2622,15 @@ skip.installer property in build.properties" />
</target>
<target name="-installer-sign-uninstaller"
- unless="skip.installer" depends="-installer-create-uninstaller"
+ unless="skip.installer"
depends="-installer-create-uninstaller,setup-jsign"
if="${do.codesigning}">
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.dist}/Uninstall.exe"/>
- </exec>
+ <jsign file="${tomcat.dist}/Uninstall.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
</target>
<target name="-installer" unless="skip.installer"
@@ -2655,17 +2652,14 @@ skip.installer property in build.properties" />
<target name="installer-sign"
description="Builds and optionally signs the Windows installer"
- depends="-installer" if="${do.codesigning}" >
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.release}/v${version}/bin/${final.name}.exe"/>
- </exec>
+ depends="-installer,setup-jsign" if="${do.codesigning}" >
+ <jsign file="${tomcat.release}/v${version}/bin/${final.name}.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
<!-- .exe has changed so need to redo checksums and OpenPGP signature -->
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.asc" />
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.sha512"
/>
@@ -3717,6 +3711,27 @@ Read the Building page on the Apache Tomcat
documentation site for details on ho
<!-- ======================= Macros, Taskdefs etc ========================
-->
+ <target name="download-jsign" >
+ <!-- Download jsign -->
+ <antcall target="downloadfile">
+ <param name="sourcefile" value="${jsign.loc}"/>
+ <param name="destfile" value="${jsign.jar}"/>
+ <param name="destdir" value="${jsign.home}"/>
+ <param name="checksum.enabled" value="${jsign.checksum.enabled}"/>
+ <param name="checksum.algorithm" value="${jsign.checksum.algorithm}"/>
+ <param name="checksum.value" value="${jsign.checksum.value}"/>
+ </antcall>
+ </target>
+
+ <target name="setup-jsign" depends="download-jsign">
+ <!-- Add jsign tasks to project -->
+ <path id="jsign.classpath">
+ <fileset file="${jsign.jar}" />
+ </path>
+
+ <taskdef name="jsign" classname="net.jsign.JsignTask"
classpathref="jsign.classpath" />
+ </target>
+
<target name="download-bnd" >
<!-- Download bnd -->
<antcall target="downloadfile">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
