[
https://issues.apache.org/jira/browse/MJARSIGNER-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lennart Schedin updated MJARSIGNER-74:
--------------------------------------
Description:
h3. Background
A Timestamping Authority (TSA) server is used to add a timestamp to the digital
signature. This timestamp indicates when the code was signed and helps prevent
issues that may arise if a certificate used for code signing expires.
The jarsigner command has 4 parameters relating to TSA (see
[https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):]
1. {{-tsa url}}
2. {{-tsacert alias}}
3. {{-tsapolicyid policyid}}
4. {{-tsadigestalg algorithm}}
The maven-jarsigner-plugin currently has support to set {{-tsa}} and
{{-tsacert}} (the same goes for the library JarSignerSignRequest in the
[https://github.com/apache/maven-jarsigner] project).
h3. Feature requested
Allow usage of multiple TSA servers when signing. This could be useful for:
1. Better stability if one TSA server is down.
2. Better stability if a TSA server has imposed a rate-limit when signing many
jar files at the same time.
This feature has both been suggested by Thorsten Meinl as a patch to
[https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59] and
also by @jcompagner in
[https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998].
But since those suggestions were not tied to a direct ticket, I felt it would
be good to collect their feature requests as a separate dedicated ticket.
h3. Implementation suggestions
I don’t plan to implement this feature myself. But since I have analyzed the
issue, I can give my suggestions on how to implement it:
# The {{-tsapolicyid}} parameter is currently missing in the maven-jarsigner
project. Consider adding support for this while implementing this ticket.
# Since {{{}-tsa{}}}, {{{}-tsacert{}}}, {{-tsapolicyid}} all belong together,
I would recommend making a list of all 3.
# If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky.
The easiest way to handle this is to use validateParameters() (see
[https://github.com/apache/maven-jarsigner-plugin/pull/13/]) and throw a
MojoExecutionException if this happens.
# I recommend using a comma as separator for the items in the list. This way
it would be possible to change the data type from {{String}} to {{String[]
}}and Maven will itself handle the splitting on the comma (if using the command
format) or mangling of nested XML tags into a {{String[]}} (if using nested XML
format). Thus, the JarsignerSignMojo would not need to do any String splitting.
was:
h3. Background
A Timestamping Authority (TSA) server is used to add a timestamp to the digital
signature. This timestamp indicates when the code was signed and helps prevent
issues that may arise if a certificate used for code signing expires.
The jarsigner command has 4 parameters relating to TSA (see
[https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):]
1. {{-tsa url}}
2. {{-tsacert alias}}
3. {{-tsapolicyid policyid}}
4. {{-tsadigestalg algorithm}}
The maven-jarsigner-plugin currently has support to set {{-tsa}} and
{{-tsacert}} (the same goes for the library JarSignerSignRequest in the
[https://github.com/apache/maven-jarsigner] project).
h3. Feature requested
Allow usage of multiple TSA servers when signing. This could be useful for:
1. Better stability if one TSA server is down.
2. Better stability if a TSA server has imposed a rate-limit when signing many
jar files at the same time.
This feature has both been suggested by Thorsten Meinl as a patch to
[https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59] and
also by @jcompagner in
[https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998].
But since those suggestions were not tied to a direct ticket, I felt it would
be good to collect their feature requests as a separate dedicated ticket.
h3. Implementation suggestions
I don’t plan to implement this feature myself. But since I have analyzed the
issue, I can give my suggestions on how to implement it:
# The {{-tsapolicyid}} parameter is currently missing in the maven-jarsigner
project. Consider adding support for this while implementing this ticket.
# Since {{{}-tsa{}}}, {{{}-tsacert{}}}, {{-tsapolicyid}} all belong together,
I would recommend making a list of all 3.
# If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky.
The easiest way to handle this is to use validateParameters() (see
[https://github.com/apache/maven-jarsigner-plugin/pull/13/]) and throw a
MojoExecutionException if this happens.
# I recommend using a comma as separator for the items in the list. This way
it would be possible to change the data type from {{String}} to
{{{}String[{}}}] and Maven will itself handle the splitting on the comma (if
using the command format) or mangling of nested XML tags into a {{String[]}}
(if using nested XML format). Thus, the JarsignerSignMojo would not need to do
any String splitting.
> Allow usage of multiple Time Stamping Authority (TSA) servers
> -------------------------------------------------------------
>
> Key: MJARSIGNER-74
> URL: https://issues.apache.org/jira/browse/MJARSIGNER-74
> Project: Maven Jar Signer Plugin
> Issue Type: New Feature
> Affects Versions: 3.0.0
> Reporter: Lennart Schedin
> Priority: Minor
>
> h3. Background
> A Timestamping Authority (TSA) server is used to add a timestamp to the
> digital signature. This timestamp indicates when the code was signed and
> helps prevent issues that may arise if a certificate used for code signing
> expires.
> The jarsigner command has 4 parameters relating to TSA (see
> [https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):]
> 1. {{-tsa url}}
> 2. {{-tsacert alias}}
> 3. {{-tsapolicyid policyid}}
> 4. {{-tsadigestalg algorithm}}
> The maven-jarsigner-plugin currently has support to set {{-tsa}} and
> {{-tsacert}} (the same goes for the library JarSignerSignRequest in the
> [https://github.com/apache/maven-jarsigner] project).
> h3. Feature requested
> Allow usage of multiple TSA servers when signing. This could be useful for:
> 1. Better stability if one TSA server is down.
> 2. Better stability if a TSA server has imposed a rate-limit when signing
> many jar files at the same time.
> This feature has both been suggested by Thorsten Meinl as a patch to
> [https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59] and
> also by @jcompagner in
> [https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998].
> But since those suggestions were not tied to a direct ticket, I felt it
> would be good to collect their feature requests as a separate dedicated
> ticket.
> h3. Implementation suggestions
> I don’t plan to implement this feature myself. But since I have analyzed the
> issue, I can give my suggestions on how to implement it:
> # The {{-tsapolicyid}} parameter is currently missing in the maven-jarsigner
> project. Consider adding support for this while implementing this ticket.
> # Since {{{}-tsa{}}}, {{{}-tsacert{}}}, {{-tsapolicyid}} all belong
> together, I would recommend making a list of all 3.
> # If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky.
> The easiest way to handle this is to use validateParameters() (see
> [https://github.com/apache/maven-jarsigner-plugin/pull/13/]) and throw a
> MojoExecutionException if this happens.
> # I recommend using a comma as separator for the items in the list. This way
> it would be possible to change the data type from {{String}} to {{String[]
> }}and Maven will itself handle the splitting on the comma (if using the
> command format) or mangling of nested XML tags into a {{String[]}} (if using
> nested XML format). Thus, the JarsignerSignMojo would not need to do any
> String splitting.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
