Cryptographically sign the Toolbox jars. Signed jars result in one less

warning popup to p2 upgrades of the Toolbox. [Feature][Toolbox]

Cryptographically sign the Toolbox jars. Signed jars result in one less
4109c3a8 · Markus Alexander Kuppe · d14ed91d · 4109c3a8 · 4109c3a8 · 4109c3a8
Commit 4109c3a8 authored 8 years ago by Markus Alexander Kuppe
--- a/org.lamport.tla.toolbox.jnlp/keystore
+++ b/org.lamport.tla.toolbox.jnlp/keystore
--- a/org.lamport.tla.toolbox.jnlp/pom.xml
+++ b/org.lamport.tla.toolbox.jnlp/pom.xml
@@ -14,15 +14,6 @@
  <version>1.0.0-SNAPSHOT</version>
  <packaging>eclipse-plugin</packaging>

-  <!-- These properties define a dummy certificate store that is used unless the developer passes overwrites to maven -->
-  <!-- see http://stackoverflow.com/a/3620575 for how such an overwrite would look like. -->  
-  <properties>
-  	<keystore.path>keystore</keystore.path>
-	<keystore.alias>msr</keystore.alias>
-    <keystore.store.password>secret</keystore.store.password>
-    <keystore.key.password>secret</keystore.key.password>
-  </properties>
-
 	<!-- Create a manual dependency towards the tlatools project. It creates 
 		the tla2tools.jar that is signed here. Without the dependency, a concurrent 
 		build will fail to sign when tlatools is built after this pom. -->

--- a/pom.xml
+++ b/pom.xml
@@ -91,6 +91,24 @@
 		<!-- no default here -->
 		<tycho.test.vm.argline>-Xmx500m -Xdebug -Xrunjdwp:transport=dt_socket,address=1044,server=y,suspend=n</tycho.test.vm.argline>
 		<tycho.test.vm.useUiThread>false</tycho.test.vm.useUiThread>
+
+        <!-- These properties define a dummy certificate store that is used unless the developer passes overwrites to maven -->
+        <!-- see http://stackoverflow.com/a/3620575 for how such an overwrite would look like. -->  
+  	    <keystore.path>${project.basedir}/../keystore</keystore.path>
+	    <keystore.alias>msr</keystore.alias>
+        <keystore.store.password>secret</keystore.store.password>
+        <keystore.key.password>secret</keystore.key.password>
+        <!-- 
+          Set to the values below if the signature should include a timestamp. You want this for a release build 
+          because a timestamp makes sure the signature remains valid after the certificate expired.
+          If you activate RFC3161, make sure the machine running the build has sufficient entropy available. Otherwise
+          expect to see intermittent hangs when the build attempts to sign a jar. On Linux the haveged and rng-tools
+          can help to collect entropy. 
+          <tsa.flag>-tsa</tsa.flag>
+          <tsa.server>http://timestamp.comodoca.com</tsa.server>
+		 -->
+        <tsa.flag></tsa.flag>
+        <tsa.server></tsa.server>
 	</properties>

 	<build>
@@ -122,6 +140,33 @@
 				    </archive>
 			    </configuration>
 			</plugin>
+			<plugin>
+			    <groupId>org.apache.maven.plugins</groupId>
+			    <artifactId>maven-jarsigner-plugin</artifactId>
+			    <version>1.4</version>
+			        <configuration>
+				        <keystore>${keystore.path}</keystore>
+				        <alias>${keystore.alias}</alias>
+				        <storepass>${keystore.store.password}</storepass>
+				        <keypass>${keystore.key.password}</keypass>
+			           	<verbose>false</verbose>
+			           	<arguments>
+			 			  <!-- Embed a current timestamp in the signed content (file). With this timestamp, 
+							the signature of the content remains valid *after* the signing certificate 
+							expired. -->
+			              <argument>${tsa.flag}</argument>
+			              <argument>${tsa.server}</argument>
+			            </arguments>
+			        </configuration>
+			        <executions>
+			            <execution>
+			                <id>sign</id>
+			                <goals>
+			                    <goal>sign</goal>
+			                </goals>
+			            </execution>
+			         </executions>
+			</plugin>
    			<plugin>
 				<groupId>org.eclipse.tycho</groupId>
 				<artifactId>target-platform-configuration</artifactId>