4

I have a few Eclipse plugins that are part of a feature. We would like to apply code signing to these plugins when the update site is updated.

I can see the JAR Signing tab when exporting an individual plugin, but I can't see anything similar in my update site project settings.

Also, the tutorials that I have read are using self-signed certificates. Can anyone point me towards instructions for using Verisign certificates (i.e. *.pfx files)?

Can anyone help?

Thanks, Alan

Edit: I have marked Kane's response as the answer because it is very similar to the steps that I took and was an inspiration. I actually followed these instructions to sign the jars because it was based on pfx files: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1072

Step 1: Run the following command to view details about the certificate (substituting the filename with your own):

keytool -list -v -storetype pkcs12 -keystore [Filename].pfx

Step 2: Scroll to the top of the output and take a note of the Alias name value.

Step 3: Sign each jar file using the following command (substituting the filenames and alias name for your own):

jarsigner -storetype pkcs12 -keystore [Filename].pfx [Filename].jar "[AliasName]"

I now need to come up with a way of managing / automating the process.

Alan Spark
  • 8,152
  • 8
  • 56
  • 91
  • For Verisign, this might help: https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR190 – VonC Aug 23 '11 at 11:20
  • Thanks VonC. I don't think signtool will work for jar files, I think I need to use jarsigner. – Alan Spark Aug 23 '11 at 14:37
  • Excellent. If you have an exact process, feel free to document it here as an answer ;) – VonC Aug 23 '11 at 15:01
  • @VonC I now have an exact process and have updated my question with the steps that I took. It is based on Kane's answer below. – Alan Spark Aug 25 '11 at 09:13

1 Answers1

3

Update site project doesn't provide such capability to sign the jars. Signing jars is a pure java concept, you could use the signtool from JDK to do it.

If you want to sign you jars via using the certificate for Windows code signing, you could refer to this blog post.

In my successful experience, I convert pfx to JKS format certificate firstly, then call below command in ant,

<signjar sigfile="MyCompany" alias="${sign.alias}" keystore="${sign.keystore}" storepass="${sign.storepass}" keypass="${sign.keypass}" tsaurl="https://timestamp.geotrust.com/tsa" preservelastmodified="true">
Kane
  • 8,035
  • 7
  • 46
  • 75
  • Thanks Kane. I will take a look at this. I actually did something similar using these instructions: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1072 but found that although I could verify that my jars were signed (although I did only sign the current versions of the jars, not the whole revision history), Eclipse still gave me the warning that the feature was unsigned. Any ideas? – Alan Spark Aug 23 '11 at 14:34
  • I indeed successfully did it, so posted my experience in a blog. You have to sign all feature/plug-ins jars that you want to install. – Kane Aug 23 '11 at 15:10
  • Another case, you can't sign the signed jars(the jars released by eclipse etc.) again. It will break the original signature. – Kane Aug 23 '11 at 15:17
  • Thanks Kane, I tried again - this time signing every jar I could find. It worked! – Alan Spark Aug 25 '11 at 09:03