pvillard31 opened a new pull request, #48: URL: https://github.com/apache/nifi-maven/pull/48
https://issues.apache.org/jira/browse/NIFI-15675 ## Add NAR signing support using JDK JarSigner When NiFi dynamically downloads or auto-loads NARs from external sources, there is currently no mechanism to verify that a NAR has not been tampered with or that it originates from a trusted publisher. This is the build-side prerequisite for enabling signature verification in the NiFi runtime. Since a NAR is structurally a JAR, the JDK's built-in JAR signing mechanism is the natural fit. This issue covers adding optional signing parameters to the existing goal in the plugin. Signing is disabled by default for full backward compatibility. A follow-up issue will cover runtime verification in NiFi itself. - Adds optional NAR signing to the existing `nar` goal using the JDK's `jdk.security.jarsigner.JarSigner` API - Signing is disabled by default (`nar.sign=false`) — fully backward compatible, no behavioral change unless explicitly opted in - After `createArchive()` produces the NAR, the new `signNar()` step signs it in place using the configured keystore, then the signed NAR is registered as the project artifact ## Configuration Seven new parameters on the `nar` goal, all optional: | Parameter | Property | Default | Description | |-----------|----------|---------|-------------| | `sign` | `nar.sign` | `false` | Enable signing | | `signKeystore` | `nar.sign.keystore` | — | Path to PKCS12/JKS keystore | | `signStorepass` | `nar.sign.storepass` | — | Keystore password | | `signAlias` | `nar.sign.alias` | — | Key alias | | `signKeypass` | `nar.sign.keypass` | — | Key password (defaults to storepass) | | `signStoretype` | `nar.sign.storetype` | `PKCS12` | Keystore type | | `signTsa` | `nar.sign.tsa` | — | TSA URL for timestamping | Minimal usage: ```xml <configuration> <sign>true</sign> <signKeystore>/path/to/keystore.p12</signKeystore> <signStorepass>${env.NAR_SIGN_PASSWORD}</signStorepass> <signAlias>nar-signer</signAlias> </configuration> ``` Or entirely via command line with no POM changes: ```bash mvn package -Dnar.sign=true -Dnar.sign.keystore=... -Dnar.sign.storepass=... -Dnar.sign.alias=... ``` Signed NARs can be verified with standard JDK tooling: `jarsigner -verify -verbose -certs target/my.nar` ## Approach A NAR is structurally a JAR. Rather than inventing a custom signature format, this uses the JDK's `JarSigner` API (available since Java 9, stable in Java 21) which signs each entry inside the archive with SHA-256 digests and produces standard PKCS#7 signature blocks. This means: - Zero custom signature format — uses the decades-old JAR signing standard - Interoperable — verifiable with `jarsigner -verify` by anyone - No new dependencies — `jdk.security.jarsigner.JarSigner` is part of the JDK itself - No changes to the NAR file format — the signature lives in `META-INF/` like any signed JAR ## Verification building nifi-aws-nar ### NAR build ``` ... [INFO] Building jar: /.../nifi/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-nar/target/nifi-aws-nar-2.9.0-SNAPSHOT.nar [INFO] Signing NAR: nifi-aws-nar-2.9.0-SNAPSHOT.nar [INFO] Signed NAR [nifi-aws-nar-2.9.0-SNAPSHOT.nar] with alias [nar-signer] from keystore [/.../nar-signing/nar-signing.p12] ... ``` ### NAR content ``` % unzip -l ./nifi-aws-nar/target/nifi-aws-nar-2.9.0-SNAPSHOT.nar | head Archive: ./nifi-aws-nar/target/nifi-aws-nar-2.9.0-SNAPSHOT.nar Length Date Time Name --------- ---------- ----- ---- 18178 03-06-2026 10:36 META-INF/MANIFEST.MF 17984 03-06-2026 10:36 META-INF/SIGNER.SF 820 03-06-2026 10:36 META-INF/SIGNER.EC 0 02-13-2026 22:38 META-INF/ 24862 02-13-2026 22:38 META-INF/DEPENDENCIES 11608 02-13-2026 22:38 META-INF/LICENSE 8303 02-13-2026 22:38 META-INF/NOTICE ``` ### Verification ``` % jarsigner -verify -verbose -certs ./nifi-aws-nar/target/nifi-aws-nar-2.9.0-SNAPSHOT.nar s 18178 Fri Mar 06 10:36:46 CET 2026 META-INF/MANIFEST.MF >>> Signer X.509, CN=Your Name, O=Your Organization, C=US Signature algorithm: SHA256withECDSA, 256-bit key [certificate is valid from 06/03/2026, 10:27 to 03/03/2036, 10:27] [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] 17984 Fri Mar 06 10:36:46 CET 2026 META-INF/SIGNER.SF 820 Fri Mar 06 10:36:46 CET 2026 META-INF/SIGNER.EC ... - Signed by "CN=Your Name, O=Your Organization, C=US" Digest algorithm: SHA-256 Signature algorithm: SHA384withECDSA, 256-bit key jar verified. ``` ### Manifest ``` % unzip -p ./nifi-aws-nar/target/nifi-aws-nar-2.9.0-SNAPSHOT.nar META-INF/MANIFEST.MF Manifest-Version: 1.0 Created-By: Apache NiFi Nar Maven Plugin 2.4.0-SNAPSHOT Java-Version: 21 Build-Jdk-Spec: 21 Nar-Signed-By: CN=Your Name,O=Your Organization,C=US Nar-Id: nifi-aws-nar Nar-Group: org.apache.nifi Nar-Version: 2.9.0-SNAPSHOT Nar-Dependency-Group: org.apache.nifi Nar-Dependency-Id: nifi-aws-service-api-nar Nar-Dependency-Version: 2.9.0-SNAPSHOT Build-Tag: HEAD Build-Timestamp: 2026-02-13T22:38:02Z Clone-During-Instance-Class-Loading: false Name: META-INF/bundled-dependencies/nifi-aws-regions-2.9.0-SNAPSHOT.jar SHA-256-Digest: Oe0oiBk1HeuiqF2PPV2iQEMeNoWeVrhG1CP9nV0DTpQ= Name: META-INF/bundled-dependencies/wire-grpc-client-jvm-5.2.0.jar SHA-256-Digest: sgRBcicsGM0kr1Bsgoe1tIBSZ+/4abZtLYUhqLfyISs= Name: META-INF/bundled-dependencies/jakarta.activation-api-2.1.4.jar SHA-256-Digest: ydtSEAzmyKrJXMOQdflXINLlYbEfgFG4HBIa1O/9cAQ= ... ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
