[jira] [Updated] (NIFI-15675) Add NAR signing support using JDK JarSigner

Fri, 06 Mar 2026 01:47:06 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-15675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pierre Villard updated NIFI-15675:
----------------------------------
    Status: Patch Available  (was: Open)

> Add NAR signing support using JDK JarSigner
> -------------------------------------------
>
>                 Key: NIFI-15675
>                 URL: https://issues.apache.org/jira/browse/NIFI-15675
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Tools and Build
>            Reporter: Pierre Villard
>            Assignee: Pierre Villard
>            Priority: Major
>
> When NiFi dynamically downloads or auto-loads NARs from external sources, 
> there is currently no mechanism to verify that a NAR has not been tampered 
> with or that it originates from a trusted publisher. This is the build-side 
> prerequisite for enabling signature verification in the NiFi runtime.
> Since a NAR is structurally a JAR, the JDK's built-in JAR signing mechanism 
> is the natural fit. This issue covers adding optional signing parameters to 
> the existing goal in the plugin. Signing is disabled by default for full 
> backward compatibility. A follow-up issue will cover runtime verification in 
> NiFi itself.
> Seven new parameters on the {{nar}} goal, all optional:
> ||Parameter||Property||Default||Description||
> |{{sign}}|{{nar.sign}}|{{false}}|Enable signing|
> |{{signKeystore}}|{{nar.sign.keystore}}|—|Path to PKCS12/JKS keystore|
> |{{signStorepass}}|{{nar.sign.storepass}}|—|Keystore password|
> |{{signAlias}}|{{nar.sign.alias}}|—|Key alias|
> |{{signKeypass}}|{{nar.sign.keypass}}|—|Key password (defaults to storepass)|
> |{{signStoretype}}|{{nar.sign.storetype}}|{{PKCS12}}|Keystore type|
> |{{signTsa}}|{{nar.sign.tsa}}|—|TSA URL for timestamping|
> Minimal usage:
> {code:java}
>  <configuration>
>     <sign>true</sign>
>     <signKeystore>/path/to/keystore.p12</signKeystore>
>     <signStorepass>${env.NAR_SIGN_PASSWORD}</signStorepass>
>     <signAlias>nar-signer</signAlias>
>  </configuration>
> {code}
>  
> Or entirely via command line with no POM changes:
> {code:java}
> mvn package -Dnar.sign=true -Dnar.sign.keystore=... -Dnar.sign.storepass=... 
> -Dnar.sign.alias=...
> {code}
>  
> Signed NARs can be verified with standard JDK tooling: {{jarsigner -verify 
> -verbose -certs target/my.nar}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to