Maven JNLP创建与EV代码签名

Question

我正在使用Maven和webstart-maven-plugin生成一个JNLP文件并签署我的项目的jar文件。我们只需更新我们的代码签名证书，自2017年2月起，提供硬件令牌而不是软件令牌。

根据GlobalSign的支持页面，签署与硬件令牌罐子正确的方法是如下（见article）：

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5" 

我遵循的文章中描述的所有步骤，现在我试图调整我的pom.xml以应用EV代码签名证书。

原来我用一个密钥（代码段，下面全POM）：

<!-- SIGNING --> 
<sign> 
    <keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore> 
    <keypass>...</keypass> 
    <storepass>...</storepass> 
    <alias>...</alias> 
    <verify>true</verify> 
</sign> 

现在我正在努力更新，以获得EV代码签名的工作（片段，下面全POM）：

<!-- SIGNING --> 
<sign> 
    <keystore>NONE</keystore> 
    <storetype>PKCS11</storetype> 
    <storepass>...</storepass> 
    <tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa> 
    <providerClass>sun.security.pkcs11.SunPKCS11</providerClass> 
    <providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg> 
    <alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- I took the alias from the article as an example --> 
    <verify>true</verify> 
</sign> 

但是，似乎tsa,providerClass和providerArg不支持，除非我错过了什么。我没有找到关于webstart-maven-plugin的很多信息，或者它不是最新的，这是一个耻辱：（

是否有另一种/更好的方式来创建一个JNLP时签署瓶子？任何帮助将是多不胜感激！

pom.xml的代码签名（与密钥库）

<profile> 
     <id>jnlp</id> 
     <build> 
      <plugins> 
       <plugin> 
        <groupId>org.codehaus.mojo</groupId> 
        <artifactId>webstart-maven-plugin</artifactId> 
        <version>1.0-beta-6</version> 
        <dependencies> 
         <dependency> 
          <groupId>org.codehaus.mojo</groupId> 
          <artifactId>webstart-pack200-impl</artifactId> 
          <version>1.0-beta-6</version> 
         </dependency> 
         <dependency> 
          <groupId>org.codehaus.mojo</groupId> 
          <artifactId>keytool-api-1.7</artifactId> 
          <version>1.5</version> 
         </dependency> 
        </dependencies> 
        <executions> 
         <execution> 
          <phase>package</phase> 
          <goals> 
           <goal>jnlp</goal> 
          </goals> 
         </execution> 
        </executions> 
        <configuration> 
         <!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory --> 
         <libPath>lib</libPath> 
         <!-- JNLP generation --> 
         <jnlp> 
          <mainClass>myApp.ui.MainApp</mainClass> 
         </jnlp> 

         <!-- SIGNING --> 
         <sign> 
          <keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore> 
          <keypass>...</keypass> 
          <storepass>...</storepass> 
          <alias>...</alias> 
          <verify>true</verify> 
         </sign> 
         <verbose>true</verbose> 
         <updateManifestEntries> 
          <Application-Name>MyApp</Application-Name> 
          <Permissions>all-permissions</Permissions> 
          <Codebase>...</Codebase> 
          <Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase> 
          <Caller-Allowable-Codebase>...</Caller-Allowable-Codebase> 
         </updateManifestEntries> 

         <!-- BUILDING PROCESS --> 
         <pack200> 
          <enabled>false</enabled> 
         </pack200> 
        </configuration> 
       </plugin> 
       <plugin> 
        <groupId>org.apache.maven.plugins</groupId> 
        <artifactId>maven-assembly-plugin</artifactId> 
        <version>2.6</version> 
        <configuration> 
         <descriptorRefs> 
          <descriptorRef>jar-with-dependencies</descriptorRef> 
         </descriptorRefs> 
        </configuration> 
        <executions> 
         <execution> 
          <id>assemble-all</id> 
          <phase>package</phase> 
          <goals> 
           <goal>single</goal> 
          </goals> 
         </execution> 
        </executions> 
       </plugin> 
      </plugins> 
     </build> 
    </profile> 

pom.xml的EV代码签名（与SafeNet令牌）

<profile> 
     <id>jnlp</id> 
     <build> 
      <plugins> 
       <plugin> 
        <groupId>org.codehaus.mojo</groupId> 
        <artifactId>webstart-maven-plugin</artifactId> 
        <version>1.0-beta-7</version> 
        <dependencies> 
         <dependency> 
          <groupId>org.codehaus.mojo</groupId> 
          <artifactId>webstart-pack200-impl</artifactId> 
          <version>1.0-beta-6</version> 
         </dependency> 
         <dependency> 
          <groupId>org.codehaus.mojo</groupId> 
          <artifactId>keytool-api-1.7</artifactId> 
          <version>1.5</version> 
         </dependency> 
        </dependencies> 
        <executions> 
         <execution> 
          <phase>package</phase> 
          <goals> 
           <goal>jnlp</goal> 
          </goals> 
         </execution> 
        </executions> 
        <configuration> 
         <!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory --> 
         <libPath>lib</libPath> 
         <!-- JNLP generation --> 
         <jnlp> 
          <mainClass>myApp.ui.MainApp</mainClass> 
         </jnlp> 

         <!-- SIGNING --> 
         <sign> 
          <keystore>NONE</keystore> 
          <storetype>PKCS11</storetype> 
          <storepass>...</storepass> 
          <tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa> 
          <providerClass>sun.security.pkcs11.SunPKCS11</providerClass> 
          <providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg> 
          <alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- i took the alias from the article as an example --> 
          <verify>true</verify> 
         </sign> 
         <verbose>true</verbose> 
         <updateManifestEntries> 
          <Application-Name>MyApp</Application-Name> 
          <Permissions>all-permissions</Permissions> 
          <Codebase>...</Codebase> 
          <Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase> 
          <Caller-Allowable-Codebase>...</Caller-Allowable-Codebase> 
         </updateManifestEntries> 

         <!-- BUILDING PROCESS --> 
         <pack200> 
          <enabled>false</enabled> 
         </pack200> 
        </configuration> 
       </plugin> 
       <plugin> 
        <groupId>org.apache.maven.plugins</groupId> 
        <artifactId>maven-assembly-plugin</artifactId> 
        <version>2.6</version> 
        <configuration> 
         <descriptorRefs> 
          <descriptorRef>jar-with-dependencies</descriptorRef> 
         </descriptorRefs> 
        </configuration> 
        <executions> 
         <execution> 
          <id>assemble-all</id> 
          <phase>package</phase> 
          <goals> 
           <goal>single</goal> 
          </goals> 
         </execution> 
        </executions> 
       </plugin> 
      </plugins> 
     </build> 
    </profile> 

Answer 1

免责声明：我是javafx-maven-plugin的维护者。

这引起了报道，现在可用，更多详细信息请点击此链接：https://github.com/javafx-maven-plugin/javafx-maven-plugin/issues/291

由于已经在JavaFX的Maven的插件中提到，这里是解决方案得到这个工作：

<plugin> 
    <groupId>com.zenjava</groupId> 
    <artifactId>javafx-maven-plugin</artifactId> 
    <version>8.8.4-SNAPSHOT</version> 
    <!-- this configuration is share among all executions --> 
    <configuration> 
     <mainClass>fqdn.to.your.MainClass</mainClass> 
     <description>test signing</description> 
     <title>launch</title> 
     <verbose>true</verbose> 
     <j2seVersion>1.8+</j2seVersion> 
     <appName>simpleApplicationName</appName> 

     <!-- this only sets the field inside jar-file --> 
     <allPermissions>true</allPermissions> 
    </configuration> 
    <executions> 
     <execution> 
      <!-- required before build-native, creates target/jfx/app --> 
      <id>create-jfxjar</id> 
      <phase>package</phase> 
      <goals> 
       <goal>build-jar</goal> 
      </goals> 
     </execution> 
     <execution> 
      <!-- creates target/jfx/web --> 
      <id>create-jnlp-bundle</id> 
      <phase>package</phase> 
      <goals> 
       <goal>build-native</goal> 
      </goals> 
      <!-- this configuration is only specific to this execution --> 
      <configuration> 
       <!-- as we only want to create the JNLP-package, use fixed bundler-ID --> 
       <bundler>jnlp<bundler> 

       <bundleArguments> 
        <!-- this makes the JNLP-file having permissions being set --> 
        <!-- AND it is the trigger for signing jar-files using jarsigner --> 
        <jnlp.allPermisions>true</jnlp.allPermisions> 

        <!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> --> 
        <jnlp.outfile>simpleApplicationName</jnlp.outfile> 
       </bundleArguments> 

       <!-- this setting is required for the new "jarsigner"-feature --> 
       <noBlobSigning>true</noBlobSigning> 

       <!-- these are required, please change them for your own requirements --> 
       <keyStoreAlias>myalias</keyStoreAlias> 
       <keyStorePassword>mypass</keyStorePassword> 

       <!-- as this keystore is no file, please disable file-checks --> 
       <skipKeyStoreChecking>true</skipKeyStoreChecking> 
       <!-- this is new too and required, as PKCS11 does not want some keypass --> 
       <skipKeypassWhileSigning>true</skipKeypassWhileSigning> 

       <!-- this is used for additional parameters for the jarsigner command --> 
       <additionalJarsignerParameters> 
        <additionalJarsignerParameter>-keystore</additionalJarsignerParameter> 
        <additionalJarsignerParameter>NONE</additionalJarsignerParameter> 
        <additionalJarsignerParameter>-storetype</additionalJarsignerParameter> 
        <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter> 
        <additionalJarsignerParameter>-tsa</additionalJarsignerParameter> 
        <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter> 
        <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter> 
        <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter> 
        <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter> 
        <additionalJarsignerParameter>${project.basedir}/src/main/resources/token/eToken.config</additionalJarsignerParameter> 
        <!-- I DO KNOW that this is verbose ... --> 
       </additionalJarsignerParameters> 

       <!-- the jnlp-bundler gets a bit messy, lots of files, so we want to mimic "jfx:web"-folder-structure --> 
       <nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir> 
      </configuration> 
     </execution> 
    </executions> 
</plugin> 

此版本尚未发布，但可从sonatype-repository中作为SNAPSHOT获取。

Answer 2

为什么不使用javafxpackager？它可以创建java webstart和可执行表单并轻松签名。这是Oracle建议的。我已经这么多年了，非常喜欢它。我正在使用它的ant任务，但我相信他们也有一个maven插件。

以下是详细信息：

http://docs.oracle.com/javafx/2/deployment/packager.htm

Answer 3

我去面对同样的问题，这些天。我在使用“解决办法”

解决方法1（一个胖JAR）成功：

• 行家遮阳帘插件（这是最简单的方法来创建一个“胖罐子”与依赖关系，然后 刚签署这个jar）
• 的maven-的jarsigner - 插件（签署从令牌阴影罐子）
• 在webstart - Maven的插件（仅适用于JNLP目的）

这里是我的聚甲醛：

<dependencies> 

    ... 

</dependencies> 

<build> 
    <plugins> 

     ... 

     <plugin> 
      <groupId>org.apache.maven.plugins</groupId> 
      <artifactId>maven-shade-plugin</artifactId> 
      <version>3.0.0</version> 
      <executions> 
       <execution> 
        <id>shade</id> 
        <phase>package</phase> 
        <goals> 
         <goal>shade</goal> 
        </goals> 
        <configuration> 
         <transformers> 
          <transformer 
           implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer"> 
           <manifestEntries> 
            <Permissions>all-permissions</Permissions> 
           </manifestEntries> 
          </transformer> 
         </transformers> 
        </configuration> 
       </execution> 
      </executions> 
     </plugin> 
     <plugin> 
      <groupId>org.apache.maven.plugins</groupId> 
      <artifactId>maven-jarsigner-plugin</artifactId> 
      <version>1.4</version> 
      <executions> 
       <execution> 
        <id>sign</id> 
        <phase>package</phase> 
        <goals> 
         <goal>sign</goal> 
        </goals> 
       </execution> 
      </executions> 
      <configuration> 
       <keystore>NONE</keystore> 
       <storepass>******</storepass> 
       <storetype>PKCS11</storetype> 
       <tsa>http://rxxxxx.globalsign.com/advanced</tsa> 
       <providerClass>sun.security.pkcs11.SunPKCS11</providerClass> 
       <providerArg>${project.basedir}/src/main/eToken.cfg</providerArg> 
       <alias>xxxxxxxxxxxxx</alias> 
       <archive>${project.build.directory}/${project.build.FinalName}.${project.packaging}</archive> 
       <arguments> 
        <argument>-J-Dhttp.proxyHost=my.proxy.com</argument> 
        <argument>-J-Dhttp.proxyPort=8080</argument> 
       </arguments> 
      </configuration> 
     </plugin> 
     <plugin> 
      <groupId>org.codehaus.mojo.webstart</groupId> 
      <artifactId>webstart-maven-plugin</artifactId> 
      <version>1.0-beta-7</version> 
      <executions> 
       <execution> 
        <id>build-jnlp</id> 
        <phase>package</phase> 
        <goals> 
         <goal>jnlp</goal> 
        </goals> 
       </execution> 
      </executions> 
      <configuration> 
       <makeArchive>false</makeArchive> 
       <jnlp> 
        <inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath> 
        <inputTemplate>template.vm</inputTemplate> 
        <mainClass>test</mainClass> 
       </jnlp> 
      </configuration> 
     </plugin> 
    </plugins> 

</build> 

和模板。VM：

<?xml version="1.0" encoding="utf-8"?> 
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp"> 
    <information> 
     <title>xxxx</title> 
     <vendor>$project.Organization.Name</vendor> 
     <homepage href="http://www.mycompany.com" /> 
     <description>$project.Description</description> 
     <offline-allowed /> 
    </information> 
    <security> 
     <all-permissions /> 
    </security> 
    <resources> 
     <j2se version="1.7+" /> 
     $dependencies 
    </resources> 
    <application-desc main-class="$mainClass" /> 
</jnlp> 

解决方法2（几罐）：

• 行家-JAR-插件（设置在主JAR清单的所有权限）只为JNLP目的
• 在webstart-行家-插件（ ）
• 的maven-的jarsigner - 插件（登录从令牌/ JNLP）

这里所有的罐子是我的POM：

<dependencies> 

    ... 

</dependencies> 

<build> 
    <plugins> 

     ... 
     <plugin> 
      <groupId>org.apache.maven.plugins</groupId> 
      <artifactId>maven-jar-plugin</artifactId> 
      <executions> 
       <execution> 
        <id>update-manifest-permissions-entry</id> 
        <phase>prepare-package</phase> 
        <goals> 
         <goal>jar</goal> 
        </goals> 
       </execution> 
      </executions> 
      <configuration> 
       <archive> 
        <addMavenDescriptor>false</addMavenDescriptor> 
        <manifestEntries> 
         <Permissions>all-permissions</Permissions> 
        </manifestEntries> 
       </archive> 
      </configuration> 
     </plugin> 
     <plugin> 
      <groupId>org.codehaus.mojo</groupId> 
      <artifactId>webstart-maven-plugin</artifactId> 
      <version>1.0-beta-7</version> 
      <executions> 
       <execution> 
        <id>build-jnlp</id> 
        <phase>package</phase> 
        <goals> 
         <goal>jnlp</goal> 
        </goals> 
       </execution> 
      </executions> 
      <configuration> 
       <makeArchive>false</makeArchive> 
       <jnlp> 
        <inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath> 
        <inputTemplate>template.vm</inputTemplate> 
        <mainClass>test</mainClass> 
       </jnlp> 
      </configuration> 
     </plugin> 
     <plugin> 
      <groupId>org.apache.maven.plugins</groupId> 
      <artifactId>maven-jarsigner-plugin</artifactId> 
      <version>1.4</version> 
      <executions> 
       <execution> 
        <id>sign</id> 
        <phase>install</phase> 
        <goals> 
         <goal>sign</goal> 
        </goals> 
       </execution> 
      </executions> 
      <configuration> 
       <keystore>NONE</keystore> 
       <storepass>xxxxx</storepass> 
       <storetype>PKCS11</storetype> 
       <tsa>http://xxx.globalsign.com/xxx</tsa> 
       <providerClass>sun.security.pkcs11.SunPKCS11</providerClass> 
       <providerArg>${project.basedir}/src/main/eToken.cfg</providerArg> 
       <alias>xxxxxxx</alias> 
       <processMainArtifact>false</processMainArtifact> 
       <archiveDirectory>${project.build.directory}/jnlp</archiveDirectory> 
       <arguments> 
        <argument>-J-Dhttp.proxyHost=myproxy.company.com</argument> 
        <argument>-J-Dhttp.proxyPort=8080</argument> 
       </arguments> 
      </configuration> 
     </plugin> 
    </plugins> 

</build> 

而且template.vm：

<?xml version="1.0" encoding="utf-8"?> 
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp"> 
    <information> 
     <title>xxxx</title> 
     <vendor>$project.Organization.Name</vendor> 
     <homepage href="http://www.mycompany.com" /> 
     <description>$project.Description</description> 
     <offline-allowed /> 
    </information> 
    <security> 
     <all-permissions /> 
    </security> 
    <resources> 
     <j2se version="1.7+" /> 
     $dependencies 
    </resources> 
    <application-desc main-class="$mainClass" /> 
</jnlp>