我正在使用Maven和webstart-maven-plugin生成一个JNLP文件并签署我的项目的jar文件。我们只需更新我们的代码签名证书,自2017年2月起,提供硬件令牌而不是软件令牌。Maven JNLP创建与EV代码签名
根据GlobalSign的支持页面,签署与硬件令牌罐子正确的方法是如下(见article):
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"
我遵循的文章中描述的所有步骤,现在我试图调整我的pom.xml以应用EV代码签名证书。
原来我用一个密钥(代码段,下面全POM):
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
现在我正在努力更新,以获得EV代码签名的工作(片段,下面全POM):
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- I took the alias from the article as an example -->
<verify>true</verify>
</sign>
但是,似乎tsa
,providerClass
和providerArg
不支持,除非我错过了什么。我没有找到关于webstart-maven-plugin的很多信息,或者它不是最新的,这是一个耻辱:(
是否有另一种/更好的方式来创建一个JNLP时签署瓶子?任何帮助将是多不胜感激!
pom.xml的代码签名(与密钥库)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-6</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
pom.xml的EV代码签名(与SafeNet令牌)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- i took the alias from the article as an example -->
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
感谢您的建议。我在https://docs.oracle.com/javase/8/docs/technotes/tools/unix/javafxpackager.html查看了相关信息。似乎可以设置'storeType',而不是'providerClass'和'providerArg'?或者我错过了什么? – Perneel
如果您设置storeType = PKCS11,则不需要指定providerClass。对于providerArg我不能确定,但我认为在这种情况下providerArg可能与KeyStore文件相同。 –
@SaeidNourian而不是直接使用javafxpackager(现在应该称为javapackager),可以使用javafx-maven-plugin,它可以在当前的SNAPSHOT版本上运行。 – FibreFoX