You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Timestamping Authority (TSA) server is used to add a timestamp to the digital signature. This timestamp indicates when the code was signed and helps prevent issues that may arise if a certificate used for code signing expires.
The maven-jarsigner-plugin currently has support to set -tsa and -tsacert (the same goes for the library JarSignerSignRequest in the https://github.com/apache/maven-jarsigner project).
Feature requested
Allow usage of multiple TSA servers when signing. This could be useful for:
Better stability if one TSA server is down.
Better stability if a TSA server has imposed a rate-limit when signing many jar files at the same time.
This feature has both been suggested by Thorsten Meinl as a patch to https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59 and also by @jcompagner in #1 (comment). But since those suggestions were not tied to a direct ticket, I felt it would be good to collect their feature requests as a separate dedicated ticket.
Implementation suggestions
I don’t plan to implement this feature myself. But since I have analyzed the issue, I can give my suggestions on how to implement it:
The -tsapolicyid parameter is currently missing in the maven-jarsigner project. Consider adding support for this while implementing this ticket.
Since {}-tsa{}, {}-tsacert{}, -tsapolicyid all belong together, I would recommend making a list of all 3.
If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky. The easiest way to handle this is to use validateParameters() (see [MJARSIGNER-41] Retry and delay feature when signing #13) and throw a MojoExecutionException if this happens.
I recommend using a comma as separator for the items in the list. This way it would be possible to change the data type from String to String[] and Maven will itself handle the splitting on the comma (if using the command format) or mangling of nested XML tags into a String[] (if using nested XML format). Thus, the JarsignerSignMojo would not need to do any String splitting.
Affects: 3.0.0
Issue Links:
MJARSIGNER-77 Bump org.apache.maven.shared:maven-jarsigner from 3.0.0 to 3.1.0
Lennart Schedin opened MJARSIGNER-74 and commented
Background
A Timestamping Authority (TSA) server is used to add a timestamp to the digital signature. This timestamp indicates when the code was signed and helps prevent issues that may arise if a certificate used for code signing expires.
The jarsigner command has 4 parameters relating to TSA (see https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):
-tsa url-tsacert alias-tsapolicyid policyid-tsadigestalg algorithmThe maven-jarsigner-plugin currently has support to set
-tsaand-tsacert(the same goes for the library JarSignerSignRequest in the https://github.com/apache/maven-jarsigner project).Feature requested
Allow usage of multiple TSA servers when signing. This could be useful for:
This feature has both been suggested by Thorsten Meinl as a patch to https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59 and also by
@jcompagnerin #1 (comment). But since those suggestions were not tied to a direct ticket, I felt it would be good to collect their feature requests as a separate dedicated ticket.Implementation suggestions
I don’t plan to implement this feature myself. But since I have analyzed the issue, I can give my suggestions on how to implement it:
-tsapolicyidparameter is currently missing in the maven-jarsigner project. Consider adding support for this while implementing this ticket.{}-tsa{},{}-tsacert{},-tsapolicyidall belong together, I would recommend making a list of all 3.Affects: 3.0.0
Issue Links:
Remote Links: