Package dev.sigstore.plugin
Class JarSign
java.lang.Object
org.apache.maven.plugin.AbstractMojo
dev.sigstore.plugin.JarSign
- All Implemented Interfaces:
org.apache.maven.plugin.ContextEnabled
,org.apache.maven.plugin.Mojo
@Mojo(name="jarsign",
defaultPhase=PACKAGE)
public class JarSign
extends org.apache.maven.plugin.AbstractMojo
Goal which:
- generates ephemeral key pair
- gets OIDC token and associated email
- requests code signing certificate from sigstore Fulcio
- signs the JAR file (with
jarsigner
) - publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor
-
Field Summary
Fields inherited from interface org.apache.maven.plugin.Mojo
ROLE
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
execute()
generateKeyPair
(String signingAlgorithm, String signingAlgorithmSpec) Returns a new ephemeral keypair according to the plugin parameterscom.google.api.client.http.HttpTransport
Generates an HTTP Transport according to the requested SSL verification settingsgetIDToken
(String expectedEmailAddress) Obtains an OpenID Connect Identity Token from the OIDC provider specified inoidcAuthURL
getSigningCert
(String signedEmail, PublicKey pubKey, String idToken) Obtains a X509 code signing certificate signed by the Fulcio instance specified infulcioInstanceURL
.signEmailAddress
(String emailAddress, PrivateKey privKey) Signs the provided email address using the provided private keybyte[]
signJarFile
(PrivateKey privKey, CertPath certs) Signs a JAR file withjarsigner
using the private key; the provided certificate chain will be included in the signed JAR filesubmitToRekor
(byte[] jarBytes) Submits the jarsigned JAR to a Rekor transparency log, with rekorjar
typevoid
writeSigningCertToFile
(CertPath certs, File outputSigningCert) Writes the code signing certificate to a fileMethods inherited from class org.apache.maven.plugin.AbstractMojo
getLog, getPluginContext, setLog, setPluginContext
-
Constructor Details
-
JarSign
public JarSign()
-
-
Method Details
-
execute
public void execute() throws org.apache.maven.plugin.MojoExecutionException- Throws:
org.apache.maven.plugin.MojoExecutionException
-
generateKeyPair
public KeyPair generateKeyPair(String signingAlgorithm, String signingAlgorithmSpec) throws org.apache.maven.plugin.MojoExecutionException Returns a new ephemeral keypair according to the plugin parameters- Parameters:
signingAlgorithm
- an absolute URL giving the base location of the imagesigningAlgorithmSpec
- the location of the image, relative to the url argument- Returns:
- the public and private keypair
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during the key generation process
-
signEmailAddress
public String signEmailAddress(String emailAddress, PrivateKey privKey) throws org.apache.maven.plugin.MojoExecutionException Signs the provided email address using the provided private key- Parameters:
emailAddress
- The email address to sign; this should match the email address in the OIDC tokenprivKey
- The private key used to sign the email address- Returns:
- base64 encoded String containing the signature for the provided email address
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during the signing process
-
getHttpTransport
public com.google.api.client.http.HttpTransport getHttpTransport()Generates an HTTP Transport according to the requested SSL verification settings- Returns:
- transport object with SSL verification enabled/disabled per the plugin parameter
sslVerification
-
getIDToken
public String getIDToken(String expectedEmailAddress) throws org.apache.maven.plugin.MojoExecutionException Obtains an OpenID Connect Identity Token from the OIDC provider specified inoidcAuthURL
- Parameters:
expectedEmailAddress
- The email address we expected to see in the identity token- Returns:
- the ID token String (in JWS format)
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during the OIDC authentication flow
-
getSigningCert
public CertPath getSigningCert(String signedEmail, PublicKey pubKey, String idToken) throws org.apache.maven.plugin.MojoExecutionException Obtains a X509 code signing certificate signed by the Fulcio instance specified infulcioInstanceURL
.- Parameters:
signedEmail
- a base64 encoded String containing the signed email address to associate with the requested certificatepubKey
- the public key used to verify the signed email address; this key will be included in the final certificateidToken
- a raw OIDC Identity token specified in JWS format- Returns:
- The certificate chain including the code signing certificate
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during the request for the code signing certificate
-
signJarFile
public byte[] signJarFile(PrivateKey privKey, CertPath certs) throws org.apache.maven.plugin.MojoExecutionException Signs a JAR file withjarsigner
using the private key; the provided certificate chain will be included in the signed JAR file- Parameters:
privKey
- the private key that should be used to sign the JAR filecerts
- The certificate chain including the code signing certificate which can be used to verify the signature- Returns:
- The signed JAR file in byte array
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during the JAR signing process
-
writeSigningCertToFile
public void writeSigningCertToFile(CertPath certs, File outputSigningCert) throws org.apache.maven.plugin.MojoExecutionException Writes the code signing certificate to a file- Parameters:
certs
- The certificate chain including the code signing certificate which can be used to verify the signatureoutputSigningCert
- The file where the code signing cert should be written to- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during writing the certificate to the specified file
-
submitToRekor
Submits the jarsigned JAR to a Rekor transparency log, with rekorjar
type- Parameters:
jarBytes
- The signed JAR file in a byte array- Returns:
- The URL where the entry in the transparency log can be seen for this signature/key combination
- Throws:
org.apache.maven.plugin.MojoExecutionException
- If any exception happened during interaction with the Rekor instance
-