Signing plugins for use with an add-on site
Hello, We've been experimenting with an add-on site and have got things working apart from the code signing. We've watched the video (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it suggests that it's the .zip file rather than the .jar which is signed? (There's a screen at 4:00 mins with: "2: Digitally sign the archive") I've tried using google to research signing zip files but it's leading me to signing systems for Android applications (usually running on Android). Do you have any hints/suggestions for signing? (We've got codesigning key/certificates in .cert, .p12, .pem formats and in a Java keystore). Thanks, Nigel -- Nigel Whitaker, Software Architect, DeltaXML Ltd. "Experts in information change" nigel.whitaker@deltaxml.com http://www.deltaxml.com +44 1684 869035 Registered in England: 02528681 Reg. Office: Monsell House, WR8 0QN, UK
Hi Nigel, You should pack the plugin itself as a jar instead of zip and sign that. Best Regards, George -- George Cristian Bina <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com On 3/4/13 5:30 PM, Nigel Whitaker wrote:
Hello,
We've been experimenting with an add-on site and have got things working apart from the code signing.
We've watched the video (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it suggests that it's the .zip file rather than the .jar which is signed? (There's a screen at 4:00 mins with: "2: Digitally sign the archive")
I've tried using google to research signing zip files but it's leading me to signing systems for Android applications (usually running on Android).
Do you have any hints/suggestions for signing? (We've got codesigning key/certificates in .cert, .p12, .pem formats and in a Java keystore).
Thanks,
Nigel
Hi Nigel, I'll revise the documentation to make it clear that if you want to sign the add-on you should pack it as a jar archive and if you don't intend to sign it you can just pack it as a zip instead. So just pack the add-on as a jar archive. Seeing that you already have a certificate signed by a trusted authority, you can just use the jarsigner command line tool inside the JDK ({JDK_install_dir}/bin/jarsigner.exe) or the ANT signjar task (which is just a front for the jarsigner tool). Best Regards, Alex -- Alex Jitianu <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com On 04-Mar-13 5:33 PM, George Cristian Bina wrote:
Hi Nigel,
You should pack the plugin itself as a jar instead of zip and sign that.
Best Regards, George -- George Cristian Bina <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com
On 3/4/13 5:30 PM, Nigel Whitaker wrote:
Hello,
We've been experimenting with an add-on site and have got things working apart from the code signing.
We've watched the video (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it suggests that it's the .zip file rather than the .jar which is signed? (There's a screen at 4:00 mins with: "2: Digitally sign the archive")
I've tried using google to research signing zip files but it's leading me to signing systems for Android applications (usually running on Android).
Do you have any hints/suggestions for signing? (We've got codesigning key/certificates in .cert, .p12, .pem formats and in a Java keystore).
Thanks,
Nigel
_______________________________________________ oXygen-sdk mailing list oXygen-sdk@oxygenxml.com http://www.oxygenxml.com/mailman/listinfo/oxygen-sdk
Hi Alex & George, Thanks for the help - I've now out it working. I did try an earlier experiment using jar/jarsigner, but for a reason I can't remember, I used a ".zip" file extension. It looks like this extension causes the add-on manager to say that the add-on is unsigned. I changed the extension to ".jar" and updated xt:location/@href and it was reported as signed. I've used a timestamp server when signing, I can see the signing time reported with "jarsigner -verify -certs -verbose", but not in the add-on manager, hope that's OK? It may help someone coming across this thread in future - here is our (ant) signing target (we've an InstantSSL/Comodo certificate): <target name="sign-addon" depends="addon-jar"> <mkdir dir="${build.addon.signed.dir}"/> <signjar alias="deltaxml limited's comodo ca limited id" signedjar="${build.addon.signed.jar}" jar="${build.addon.unsigned.jar}" storepass="********" tsaurl="http://timestamp.comodoca.com/rfc3161" keystore="${ULD}/auth/deltaxml-codesigning.jks" /> </target> The .jks store was loaded from the .p12 file we got from the certificate authority, the JDK 1.6 keytool can do the conversion. Thanks, Nigel On 05/03/2013 09:41, oXygen XML Editor Support wrote:
Hi Nigel,
I'll revise the documentation to make it clear that if you want to sign the add-on you should pack it as a jar archive and if you don't intend to sign it you can just pack it as a zip instead.
So just pack the add-on as a jar archive. Seeing that you already have a certificate signed by a trusted authority, you can just use the jarsigner command line tool inside the JDK ({JDK_install_dir}/bin/jarsigner.exe) or the ANT signjar task (which is just a front for the jarsigner tool).
Best Regards, Alex -- Alex Jitianu <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com
On 04-Mar-13 5:33 PM, George Cristian Bina wrote:
Hi Nigel,
You should pack the plugin itself as a jar instead of zip and sign that.
Best Regards, George -- George Cristian Bina <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com
On 3/4/13 5:30 PM, Nigel Whitaker wrote:
Hello,
We've been experimenting with an add-on site and have got things working apart from the code signing.
We've watched the video (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it suggests that it's the .zip file rather than the .jar which is signed? (There's a screen at 4:00 mins with: "2: Digitally sign the archive")
I've tried using google to research signing zip files but it's leading me to signing systems for Android applications (usually running on Android).
Do you have any hints/suggestions for signing? (We've got codesigning key/certificates in .cert, .p12, .pem formats and in a Java keystore).
Thanks,
Nigel
_______________________________________________ oXygen-sdk mailing list oXygen-sdk@oxygenxml.com http://www.oxygenxml.com/mailman/listinfo/oxygen-sdk
-- Nigel Whitaker, Software Architect, DeltaXML Ltd. "Experts in information change" nigel.whitaker@deltaxml.com http://www.deltaxml.com +44 1684 869035 Registered in England: 02528681 Reg. Office: Monsell House, WR8 0QN, UK
Hi Nigel, We're just not presenting the signing time... Not an issue but I'll take another look and see what other information we can present about the signature. Best Regards, Alex -- Alex Jitianu <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com On 06-Mar-13 11:06 AM, Nigel Whitaker wrote:
Hi Alex & George,
Thanks for the help - I've now out it working.
I did try an earlier experiment using jar/jarsigner, but for a reason I can't remember, I used a ".zip" file extension. It looks like this extension causes the add-on manager to say that the add-on is unsigned. I changed the extension to ".jar" and updated xt:location/@href and it was reported as signed.
I've used a timestamp server when signing, I can see the signing time reported with "jarsigner -verify -certs -verbose", but not in the add-on manager, hope that's OK?
It may help someone coming across this thread in future - here is our (ant) signing target (we've an InstantSSL/Comodo certificate):
<target name="sign-addon" depends="addon-jar"> <mkdir dir="${build.addon.signed.dir}"/> <signjar alias="deltaxml limited's comodo ca limited id" signedjar="${build.addon.signed.jar}" jar="${build.addon.unsigned.jar}" storepass="********" tsaurl="http://timestamp.comodoca.com/rfc3161" keystore="${ULD}/auth/deltaxml-codesigning.jks" /> </target>
The .jks store was loaded from the .p12 file we got from the certificate authority, the JDK 1.6 keytool can do the conversion.
Thanks,
Nigel
On 05/03/2013 09:41, oXygen XML Editor Support wrote:
Hi Nigel,
I'll revise the documentation to make it clear that if you want to sign the add-on you should pack it as a jar archive and if you don't intend to sign it you can just pack it as a zip instead.
So just pack the add-on as a jar archive. Seeing that you already have a certificate signed by a trusted authority, you can just use the jarsigner command line tool inside the JDK ({JDK_install_dir}/bin/jarsigner.exe) or the ANT signjar task (which is just a front for the jarsigner tool).
Best Regards, Alex -- Alex Jitianu <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com
On 04-Mar-13 5:33 PM, George Cristian Bina wrote:
Hi Nigel,
You should pack the plugin itself as a jar instead of zip and sign that.
Best Regards, George -- George Cristian Bina <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger http://www.oxygenxml.com
On 3/4/13 5:30 PM, Nigel Whitaker wrote:
Hello,
We've been experimenting with an add-on site and have got things working apart from the code signing.
We've watched the video (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it suggests that it's the .zip file rather than the .jar which is signed? (There's a screen at 4:00 mins with: "2: Digitally sign the archive")
I've tried using google to research signing zip files but it's leading me to signing systems for Android applications (usually running on Android).
Do you have any hints/suggestions for signing? (We've got codesigning key/certificates in .cert, .p12, .pem formats and in a Java keystore).
Thanks,
Nigel
_______________________________________________ oXygen-sdk mailing list oXygen-sdk@oxygenxml.com http://www.oxygenxml.com/mailman/listinfo/oxygen-sdk
participants (4)
-
Alex Jitianu -
George Cristian Bina -
Nigel Whitaker -
oXygen XML Editor Support