Class JarSign

java.lang.Object
org.apache.maven.plugin.AbstractMojo
dev.sigstore.plugin.JarSign
All Implemented Interfaces:
org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo

@Mojo(name="jarsign", defaultPhase=PACKAGE) public class JarSign extends org.apache.maven.plugin.AbstractMojo
Goal which:
  • generates ephemeral key pair
  • gets OIDC token and associated email
  • requests code signing certificate from sigstore Fulcio
  • signs the JAR file (with jarsigner)
  • publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor
  • Field Summary

    Fields inherited from interface org.apache.maven.plugin.Mojo

    ROLE
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    void
     
    generateKeyPair(String signingAlgorithm, String signingAlgorithmSpec)
    Returns a new ephemeral keypair according to the plugin parameters
    com.google.api.client.http.HttpTransport
    Generates an HTTP Transport according to the requested SSL verification settings
    getIDToken(String expectedEmailAddress)
    Obtains an OpenID Connect Identity Token from the OIDC provider specified in oidcAuthURL
    getSigningCert(String signedEmail, PublicKey pubKey, String idToken)
    Obtains a X509 code signing certificate signed by the Fulcio instance specified in fulcioInstanceURL.
    signEmailAddress(String emailAddress, PrivateKey privKey)
    Signs the provided email address using the provided private key
    byte[]
    signJarFile(PrivateKey privKey, CertPath certs)
    Signs a JAR file with jarsigner using the private key; the provided certificate chain will be included in the signed JAR file
    submitToRekor(byte[] jarBytes)
    Submits the jarsigned JAR to a Rekor transparency log, with rekor jar type
    void
    writeSigningCertToFile(CertPath certs, File outputSigningCert)
    Writes the code signing certificate to a file

    Methods inherited from class org.apache.maven.plugin.AbstractMojo

    getLog, getPluginContext, setLog, setPluginContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • JarSign

      public JarSign()
  • Method Details

    • execute

      public void execute() throws org.apache.maven.plugin.MojoExecutionException
      Throws:
      org.apache.maven.plugin.MojoExecutionException
    • generateKeyPair

      public KeyPair generateKeyPair(String signingAlgorithm, String signingAlgorithmSpec) throws org.apache.maven.plugin.MojoExecutionException
      Returns a new ephemeral keypair according to the plugin parameters
      Parameters:
      signingAlgorithm - an absolute URL giving the base location of the image
      signingAlgorithmSpec - the location of the image, relative to the url argument
      Returns:
      the public and private keypair
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during the key generation process
    • signEmailAddress

      public String signEmailAddress(String emailAddress, PrivateKey privKey) throws org.apache.maven.plugin.MojoExecutionException
      Signs the provided email address using the provided private key
      Parameters:
      emailAddress - The email address to sign; this should match the email address in the OIDC token
      privKey - The private key used to sign the email address
      Returns:
      base64 encoded String containing the signature for the provided email address
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during the signing process
    • getHttpTransport

      public com.google.api.client.http.HttpTransport getHttpTransport()
      Generates an HTTP Transport according to the requested SSL verification settings
      Returns:
      transport object with SSL verification enabled/disabled per the plugin parameter sslVerification
    • getIDToken

      public String getIDToken(String expectedEmailAddress) throws org.apache.maven.plugin.MojoExecutionException
      Obtains an OpenID Connect Identity Token from the OIDC provider specified in oidcAuthURL
      Parameters:
      expectedEmailAddress - The email address we expected to see in the identity token
      Returns:
      the ID token String (in JWS format)
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during the OIDC authentication flow
    • getSigningCert

      public CertPath getSigningCert(String signedEmail, PublicKey pubKey, String idToken) throws org.apache.maven.plugin.MojoExecutionException
      Obtains a X509 code signing certificate signed by the Fulcio instance specified in fulcioInstanceURL.
      Parameters:
      signedEmail - a base64 encoded String containing the signed email address to associate with the requested certificate
      pubKey - the public key used to verify the signed email address; this key will be included in the final certificate
      idToken - a raw OIDC Identity token specified in JWS format
      Returns:
      The certificate chain including the code signing certificate
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during the request for the code signing certificate
    • signJarFile

      public byte[] signJarFile(PrivateKey privKey, CertPath certs) throws org.apache.maven.plugin.MojoExecutionException
      Signs a JAR file with jarsigner using the private key; the provided certificate chain will be included in the signed JAR file
      Parameters:
      privKey - the private key that should be used to sign the JAR file
      certs - The certificate chain including the code signing certificate which can be used to verify the signature
      Returns:
      The signed JAR file in byte array
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during the JAR signing process
    • writeSigningCertToFile

      public void writeSigningCertToFile(CertPath certs, File outputSigningCert) throws org.apache.maven.plugin.MojoExecutionException
      Writes the code signing certificate to a file
      Parameters:
      certs - The certificate chain including the code signing certificate which can be used to verify the signature
      outputSigningCert - The file where the code signing cert should be written to
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during writing the certificate to the specified file
    • submitToRekor

      public URL submitToRekor(byte[] jarBytes) throws org.apache.maven.plugin.MojoExecutionException
      Submits the jarsigned JAR to a Rekor transparency log, with rekor jar type
      Parameters:
      jarBytes - The signed JAR file in a byte array
      Returns:
      The URL where the entry in the transparency log can be seen for this signature/key combination
      Throws:
      org.apache.maven.plugin.MojoExecutionException - If any exception happened during interaction with the Rekor instance