使用 EV 代码签名创建 Maven JNLP

Maven JNLP creation with EV Code Signing

我正在使用 Maven 和 webstart-maven-plugin 生成一个 JNLP 文件并对我的项目的 jar 文件进行签名。我们只需要更新我们的代码签名证书,自 2017 年 2 月起,提供硬件令牌而不是软件令牌。

根据 GlobalSign 支持页面,使用硬件令牌对 jar 进行签名的正确方法如下(参见 article):

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"

我遵循了那篇文章中描述的所有步骤,现在我正在尝试调整我的 pom.xml 以应用 EV 代码签名证书。

最初我使用了一个密钥库(片段,下面是完整的 pom):

<!-- SIGNING -->
<sign>
    <keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
    <keypass>...</keypass>
    <storepass>...</storepass>
    <alias>...</alias>
    <verify>true</verify>
</sign>

现在我正在尝试更新它以使 EV 代码签名工作(片段,下面的完整 pom):

<!-- SIGNING -->
<sign>
    <keystore>NONE</keystore>
    <storetype>PKCS11</storetype>
    <storepass>...</storepass>
    <tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
    <providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
    <providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
    <alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- I took the alias from the article as an example -->
    <verify>true</verify>
</sign>

不过,似乎不支持tsaproviderClassproviderArg,除非我遗漏了什么。我没有找到很多关于 webstart-maven-plugin 的信息,或者它不是最新的,这很遗憾:(

在创建 JNLP 时是否有 another/better 签署 jar 的方法?任何帮助将不胜感激!

pom.xml 代码签名(使用密钥库)

    <profile>
        <id>jnlp</id>
        <build>
            <plugins>
                <plugin>
                    <groupId>org.codehaus.mojo</groupId>
                    <artifactId>webstart-maven-plugin</artifactId>
                    <version>1.0-beta-6</version>
                    <dependencies>
                        <dependency>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>webstart-pack200-impl</artifactId>
                            <version>1.0-beta-6</version>
                        </dependency>
                        <dependency>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>keytool-api-1.7</artifactId>
                            <version>1.5</version>
                        </dependency>
                    </dependencies>
                    <executions>
                        <execution>
                            <phase>package</phase>
                            <goals>
                                <goal>jnlp</goal>
                            </goals>
                        </execution>
                    </executions>
                    <configuration>
                        <!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
                        <libPath>lib</libPath>
                        <!-- JNLP generation -->
                        <jnlp>
                            <mainClass>myApp.ui.MainApp</mainClass>
                        </jnlp>

                        <!-- SIGNING -->
                        <sign>
                            <keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
                            <keypass>...</keypass>
                            <storepass>...</storepass>
                            <alias>...</alias>
                            <verify>true</verify>
                        </sign>
                        <verbose>true</verbose>
                        <updateManifestEntries>
                            <Application-Name>MyApp</Application-Name>
                            <Permissions>all-permissions</Permissions>
                            <Codebase>...</Codebase>
                            <Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
                            <Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
                        </updateManifestEntries>

                        <!-- BUILDING PROCESS -->
                        <pack200>
                            <enabled>false</enabled>
                        </pack200>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-assembly-plugin</artifactId>
                    <version>2.6</version>
                    <configuration>
                        <descriptorRefs>
                            <descriptorRef>jar-with-dependencies</descriptorRef>
                        </descriptorRefs>
                    </configuration>
                    <executions>
                        <execution>
                            <id>assemble-all</id>
                            <phase>package</phase>
                            <goals>
                                <goal>single</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </profile>

pom.xml EV 代码签名(使用 SafeNet 令牌)

    <profile>
        <id>jnlp</id>
        <build>
            <plugins>
                <plugin>
                    <groupId>org.codehaus.mojo</groupId>
                    <artifactId>webstart-maven-plugin</artifactId>
                    <version>1.0-beta-7</version>
                    <dependencies>
                        <dependency>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>webstart-pack200-impl</artifactId>
                            <version>1.0-beta-6</version>
                        </dependency>
                        <dependency>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>keytool-api-1.7</artifactId>
                            <version>1.5</version>
                        </dependency>
                    </dependencies>
                    <executions>
                        <execution>
                            <phase>package</phase>
                            <goals>
                                <goal>jnlp</goal>
                            </goals>
                        </execution>
                    </executions>
                    <configuration>
                        <!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
                        <libPath>lib</libPath>
                        <!-- JNLP generation -->
                        <jnlp>
                            <mainClass>myApp.ui.MainApp</mainClass>
                        </jnlp>

                        <!-- SIGNING -->
                        <sign>
                            <keystore>NONE</keystore>
                            <storetype>PKCS11</storetype>
                            <storepass>...</storepass>
                            <tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
                            <providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
                            <providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
                            <alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- i took the alias from the article as an example -->
                            <verify>true</verify>
                        </sign>
                        <verbose>true</verbose>
                        <updateManifestEntries>
                            <Application-Name>MyApp</Application-Name>
                            <Permissions>all-permissions</Permissions>
                            <Codebase>...</Codebase>
                            <Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
                            <Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
                        </updateManifestEntries>

                        <!-- BUILDING PROCESS -->
                        <pack200>
                            <enabled>false</enabled>
                        </pack200>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-assembly-plugin</artifactId>
                    <version>2.6</version>
                    <configuration>
                        <descriptorRefs>
                            <descriptorRef>jar-with-dependencies</descriptorRef>
                        </descriptorRefs>
                    </configuration>
                    <executions>
                        <execution>
                            <id>assemble-all</id>
                            <phase>package</phase>
                            <goals>
                                <goal>single</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </profile>

为什么不使用 javafxpackager?它可以创建 java webstart 和可执行表单并轻松签署。这是 Oracle 推荐的。我已经这样做了很多年并且真的很喜欢它。我正在使用它的 ant 任务,但我相信他们也有一个 maven 插件。

这里有更多信息:

http://docs.oracle.com/javafx/2/deployment/packager.htm

我这几天也遇到了同样的问题。我成功地使用了 "workaround"

解决方法 1(一个 fat jar):

  • maven-shade-plugin(这是创建具有依赖关系的 "fat jar" 的简单方法,然后 只需在这个罐子上签名)
  • maven-jarsigner-plugin(从令牌签署阴影 jar)
  • webstart-maven-plugin(仅用于 jnlp 目的)

这是我的 pom :

<dependencies>

    ...

</dependencies>

<build>
    <plugins>

        ...

        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-shade-plugin</artifactId>
            <version>3.0.0</version>
            <executions>
                <execution>
                    <id>shade</id>
                    <phase>package</phase>
                    <goals>
                        <goal>shade</goal>
                    </goals>
                    <configuration>
                        <transformers>
                            <transformer
                                implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                                <manifestEntries>
                                    <Permissions>all-permissions</Permissions>
                                </manifestEntries>
                            </transformer>
                        </transformers>
                    </configuration>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jarsigner-plugin</artifactId>
            <version>1.4</version>
            <executions>
                <execution>
                    <id>sign</id>
                    <phase>package</phase>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <keystore>NONE</keystore>
                <storepass>******</storepass>
                <storetype>PKCS11</storetype>
                <tsa>http://rxxxxx.globalsign.com/advanced</tsa>
                <providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
                <providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
                <alias>xxxxxxxxxxxxx</alias>
                <archive>${project.build.directory}/${project.build.FinalName}.${project.packaging}</archive>
                <arguments>
                    <argument>-J-Dhttp.proxyHost=my.proxy.com</argument>
                    <argument>-J-Dhttp.proxyPort=8080</argument>
                </arguments>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.codehaus.mojo.webstart</groupId>
            <artifactId>webstart-maven-plugin</artifactId>
            <version>1.0-beta-7</version>
            <executions>
                <execution>
                    <id>build-jnlp</id>
                    <phase>package</phase>
                    <goals>
                        <goal>jnlp</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <makeArchive>false</makeArchive>
                <jnlp>
                    <inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
                    <inputTemplate>template.vm</inputTemplate>
                    <mainClass>test</mainClass>
                </jnlp>
            </configuration>
        </plugin>
    </plugins>

</build>

和template.vm:

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
    <information>
        <title>xxxx</title>
        <vendor>$project.Organization.Name</vendor>
        <homepage href="http://www.mycompany.com" />
        <description>$project.Description</description>
        <offline-allowed />
    </information>
    <security>
        <all-permissions />
    </security>
    <resources>
        <j2se version="1.7+" />
        $dependencies
    </resources>
    <application-desc main-class="$mainClass" />
</jnlp>

解决方法 2(几个 jar):

  • maven-jar-plugin(在主 jar 清单中设置所有权限)
  • webstart-maven-plugin(仅用于 jnlp 目的)
  • maven-jarsigner-plugin(从令牌在 /jnlp 中签署所有 jar)

这是我的 pom :

<dependencies>

    ...

</dependencies>

<build>
    <plugins>

        ...
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jar-plugin</artifactId>
            <executions>
                <execution>
                    <id>update-manifest-permissions-entry</id>
                    <phase>prepare-package</phase>
                    <goals>
                        <goal>jar</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <archive>
                    <addMavenDescriptor>false</addMavenDescriptor>
                    <manifestEntries>
                        <Permissions>all-permissions</Permissions>
                    </manifestEntries>
                </archive>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>webstart-maven-plugin</artifactId>
            <version>1.0-beta-7</version>
            <executions>
                <execution>
                    <id>build-jnlp</id>
                    <phase>package</phase>
                    <goals>
                        <goal>jnlp</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <makeArchive>false</makeArchive>
                <jnlp>
                    <inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
                    <inputTemplate>template.vm</inputTemplate>
                    <mainClass>test</mainClass>
                </jnlp>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jarsigner-plugin</artifactId>
            <version>1.4</version>
            <executions>
                <execution>
                    <id>sign</id>
                    <phase>install</phase>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <keystore>NONE</keystore>
                <storepass>xxxxx</storepass>
                <storetype>PKCS11</storetype>
                <tsa>http://xxx.globalsign.com/xxx</tsa>
                <providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
                <providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
                <alias>xxxxxxx</alias>
                <processMainArtifact>false</processMainArtifact>
                <archiveDirectory>${project.build.directory}/jnlp</archiveDirectory>
                <arguments>
                    <argument>-J-Dhttp.proxyHost=myproxy.company.com</argument>
                    <argument>-J-Dhttp.proxyPort=8080</argument>
                </arguments>
            </configuration>
        </plugin>
    </plugins>

</build>

和template.vm:

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
    <information>
        <title>xxxx</title>
        <vendor>$project.Organization.Name</vendor>
        <homepage href="http://www.mycompany.com" />
        <description>$project.Description</description>
        <offline-allowed />
    </information>
    <security>
        <all-permissions />
    </security>
    <resources>
        <j2se version="1.7+" />
        $dependencies
    </resources>
    <application-desc main-class="$mainClass" />
</jnlp>

免责声明: 我是 javafx-maven-plugin.

的维护者

这已得到报告,现在可用,有关详细信息,请参阅此 link:https://github.com/javafx-maven-plugin/javafx-maven-plugin/issues/291

正如在 javafx-maven-plugin 中已经提到的,这里是实现此功能的解决方案:

<plugin>
    <groupId>com.zenjava</groupId>
    <artifactId>javafx-maven-plugin</artifactId>
    <version>8.8.4-SNAPSHOT</version>
    <!-- this configuration is share among all executions -->
    <configuration>
        <mainClass>fqdn.to.your.MainClass</mainClass>
        <description>test signing</description>
        <title>launch</title>
        <verbose>true</verbose>
        <j2seVersion>1.8+</j2seVersion>
        <appName>simpleApplicationName</appName>

        <!-- this only sets the field inside jar-file -->
        <allPermissions>true</allPermissions>
    </configuration>
    <executions>
        <execution>
            <!-- required before build-native, creates target/jfx/app -->
            <id>create-jfxjar</id>
            <phase>package</phase>
            <goals>
                <goal>build-jar</goal>
            </goals>
        </execution>
        <execution>
            <!-- creates target/jfx/web -->
            <id>create-jnlp-bundle</id>
            <phase>package</phase>
            <goals>
                <goal>build-native</goal>
            </goals>
            <!-- this configuration is only specific to this execution -->
            <configuration>
                <!-- as we only want to create the JNLP-package, use fixed bundler-ID -->
                <bundler>jnlp<bundler>

                <bundleArguments>
                    <!-- this makes the JNLP-file having permissions being set -->
                    <!-- AND it is the trigger for signing jar-files using jarsigner -->
                    <jnlp.allPermisions>true</jnlp.allPermisions>

                    <!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
                    <jnlp.outfile>simpleApplicationName</jnlp.outfile>
                </bundleArguments>

                <!-- this setting is required for the new "jarsigner"-feature -->
                <noBlobSigning>true</noBlobSigning>

                <!-- these are required, please change them for your own requirements -->
                <keyStoreAlias>myalias</keyStoreAlias>
                <keyStorePassword>mypass</keyStorePassword>

                <!-- as this keystore is no file, please disable file-checks -->
                <skipKeyStoreChecking>true</skipKeyStoreChecking>
                <!-- this is new too and required, as PKCS11 does not want some keypass -->
                <skipKeypassWhileSigning>true</skipKeypassWhileSigning>

                <!-- this is used for additional parameters for the jarsigner command -->
                <additionalJarsignerParameters>
                    <additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
                    <additionalJarsignerParameter>NONE</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
                    <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
                    <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
                    <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
                    <additionalJarsignerParameter>${project.basedir}/src/main/resources/token/eToken.config</additionalJarsignerParameter>
                    <!-- I DO KNOW that this is verbose ... -->
                </additionalJarsignerParameters>

                <!-- the jnlp-bundler gets a bit messy, lots of files, so we want to mimic "jfx:web"-folder-structure -->
                <nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir>
            </configuration>
        </execution>
    </executions>
</plugin>

此版本尚未发布,但可以从 sonatype-repository 获取快照。