Lennart Schedin created MJARSIGNER-74:
-----------------------------------------
Summary: Allow usage of multiple Time Stamping Authority (TSA)
servers
Key: MJARSIGNER-74
URL: https://issues.apache.org/jira/browse/MJARSIGNER-74
Project: Maven Jar Signer Plugin
Issue Type: New Feature
Affects Versions: 3.0.0
Reporter: Lennart Schedin
h3. Background
A Timestamping Authority (TSA) server is used to add a timestamp to the digital
signature. This timestamp indicates when the code was signed and helps prevent
issues that may arise if a certificate used for code signing expires.
The jarsigner command has 4 parameters relating to TSA (see
[https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):]
1. {{-tsa url}}
2. {{-tsacert alias}}
3. {{-tsapolicyid policyid}}
4. {{-tsadigestalg algorithm}}
The maven-jarsigner-plugin currently has support to set {{-tsa}} and
{{-tsacert}} (the same goes for the library JarSignerSignRequest in the
[https://github.com/apache/maven-jarsigner] project).
h3. Feature requested
Allow usage of multiple TSA servers when signing. This could be useful for:
1. Better stability if one TSA server is down.
2. Better stability if a TSA server has imposed a rate-limit when signing many
jar files at the same time.
This feature has both been suggested by Thorsten Meinl as a patch to
[https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59] and
also by @jcompagner in
[https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998].
But since those suggestions were not tied to a direct ticket, I felt it would
be good to collect their feature requests as a separate dedicated ticket.
h3. Implementation suggestions
I don’t plan to implement this feature myself. But since I have analyzed the
issue, I can give my suggestions on how to implement it:
# The {{-tsapolicyid}} parameter is currently missing in the maven-jarsigner
project. Consider adding support for this while implementing this ticket.
# Since {{{}-tsa{}}}, {{{}-tsacert{}}}, {{-tsapolicyid}} all belong together,
I would recommend making a list of all 3.
# If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky.
The easiest way to handle this is to use validateParameters() (see
[https://github.com/apache/maven-jarsigner-plugin/pull/13/]) and throw a
MojoExecutionException if this happens.
# I recommend using a comma as separator for the items in the list. This way
it would be possible to change the data type from {{String}} to
{{{}String[{}}}] and Maven will itself handle the splitting on the comma (if
using the command format) or mangling of nested XML tags into a {{String[]}}
(if using nested XML format). Thus, the JarsignerSignMojo would not need to do
any String splitting.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
