Uploaded image for project: 'Maven Jar Signer Plugin'
  1. Maven Jar Signer Plugin
  2. MJARSIGNER-74

Allow usage of multiple Time Stamping Authority (TSA) servers

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.0.0
    • 3.1.0
    • None

    Description

      Background

      A Timestamping Authority (TSA) server is used to add a timestamp to the digital signature. This timestamp indicates when the code was signed and helps prevent issues that may arise if a certificate used for code signing expires.

      The jarsigner command has 4 parameters relating to TSA (see https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):
      1. -tsa url
      2. -tsacert alias
      3. -tsapolicyid policyid
      4. -tsadigestalg algorithm

      The maven-jarsigner-plugin currently has support to set -tsa and -tsacert (the same goes for the library JarSignerSignRequest in the https://github.com/apache/maven-jarsigner project).

      Feature requested

      Allow usage of multiple TSA servers when signing. This could be useful for:
      1. Better stability if one TSA server is down.
      2. Better stability if a TSA server has imposed a rate-limit when signing many jar files at the same time.

      This feature has both been suggested by Thorsten Meinl as a patch to https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59 and also by @jcompagner in https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998. But since those suggestions were not tied to a direct ticket, I felt it would be good to collect their feature requests as a separate dedicated ticket.

      Implementation suggestions

      I don’t plan to implement this feature myself. But since I have analyzed the issue, I can give my suggestions on how to implement it:

      1. The -tsapolicyid parameter is currently missing in the maven-jarsigner project. Consider adding support for this while implementing this ticket.
      2. Since -tsa, -tsacert, -tsapolicyid all belong together, I would recommend making a list of all 3.
      3. If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky. The easiest way to handle this is to use validateParameters() (see https://github.com/apache/maven-jarsigner-plugin/pull/13/) and throw a MojoExecutionException if this happens.
      4. I recommend using a comma as separator for the items in the list. This way it would be possible to change the data type from String to String[] and Maven will itself handle the splitting on the comma (if using the command format) or mangling of nested XML tags into a String[] (if using nested XML format). Thus, the JarsignerSignMojo would not need to do any String splitting.

       

      Attachments

        Issue Links

          is related to

          Dependency upgrade - Upgrading a dependency to a newer version MJARSIGNER-77 Bump org.apache.maven.shared:maven-jarsigner from 3.0.0 to 3.1.0

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #19

          Activity

            People

              sjaranowski Slawomir Jaranowski
              schedin Lennart Schedin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: