Pierre Villard created NIFI-15675:
-------------------------------------
Summary: Add NAR signing support using JDK JarSigner
Key: NIFI-15675
URL: https://issues.apache.org/jira/browse/NIFI-15675
Project: Apache NiFi
Issue Type: New Feature
Components: Tools and Build
Reporter: Pierre Villard
Assignee: Pierre Villard
When NiFi dynamically downloads or auto-loads NARs from external sources, there
is currently no mechanism to verify that a NAR has not been tampered with or
that it originates from a trusted publisher. This is the build-side
prerequisite for enabling signature verification in the NiFi runtime.
Since a NAR is structurally a JAR, the JDK's built-in JAR signing mechanism is
the natural fit. This issue covers adding optional signing parameters to the
existing goal in the plugin. Signing is disabled by default for full backward
compatibility. A follow-up issue will cover runtime verification in NiFi itself.
Seven new parameters on the {{nar}} goal, all optional:
||Parameter||Property||Default||Description||
|{{sign}}|{{nar.sign}}|{{false}}|Enable signing|
|{{signKeystore}}|{{nar.sign.keystore}}|—|Path to PKCS12/JKS keystore|
|{{signStorepass}}|{{nar.sign.storepass}}|—|Keystore password|
|{{signAlias}}|{{nar.sign.alias}}|—|Key alias|
|{{signKeypass}}|{{nar.sign.keypass}}|—|Key password (defaults to storepass)|
|{{signStoretype}}|{{nar.sign.storetype}}|{{PKCS12}}|Keystore type|
|{{signTsa}}|{{nar.sign.tsa}}|—|TSA URL for timestamping|
Minimal usage:
{code:java}
<configuration>
<sign>true</sign>
<signKeystore>/path/to/keystore.p12</signKeystore>
<signStorepass>${env.NAR_SIGN_PASSWORD}</signStorepass>
<signAlias>nar-signer</signAlias>
</configuration>
{code}
Or entirely via command line with no POM changes:
{code:java}
mvn package -Dnar.sign=true -Dnar.sign.keystore=... -Dnar.sign.storepass=...
-Dnar.sign.alias=...
{code}
Signed NARs can be verified with standard JDK tooling: {{jarsigner -verify
-verbose -certs target/my.nar}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
