Jar Signing Strategy in Maven Projects

Question

We have several maven projects, which are built on the build server. In some cases we want to sign our deliverables. We use Maven Jarsigner Plugin to do that.

We face the following questions:

• Where should we store the passwords for signing?
• What is a good strategy for signing maven projects?

We don't want to put our keystore somewhere on our servers and hardcode a path to it. So we just wrapped this keystore in a jar and uploaded it as an artifact to our inner maven repository. When we want to sign a maven project, we download the keystore artifact using the Maven Dependency Plugin and attach signing goal to maven build lifecycle. Here is more detailed information.

In order to hide the passwords for the keystore, we put them into our corporate pom.xml file. We also think about storing passwords in settings.xml on the build server.

When a project is built and signed on a developer machine, we sign it with self-signed certificate. But when project is built and signed on a build server, we sign it with our "official" certificate.

Is it a good strategy?

Answer 1

I use 2 keystores:

• a development keystore which is stored in the SCM. The CI server can thus sign the snapshots.
• a production keystore with a real production certificate issued by a trusted certification authority.

The development keystore password is in the pom.xml. Here is a snippet of my pom.xml:

  <plugin>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.2</version>
    <configuration>
      <storetype>${keystore.type}</storetype>
      <keystore>${keystore.path}</keystore>
      <alias>${keystore.alias}</alias>
      <storepass>${keystore.store.password}</storepass>
      <keypass>${keystore.key.password}</keypass>
    </configuration>
  </plugin>
  <!-- 
      ... rest of the pom.xml ...
  -->
  <properties>
    <keystore.path>cert/temp.keystore</keystore.path>
    <keystore.type>JKS</keystore.type>
    <keystore.alias>dev</keystore.alias>
    <keystore.password>dev_password</keystore.password>
    <keystore.store.password>${keystore.password}</keystore.store.password>
    <keystore.key.password>${keystore.password}</keystore.key.password>
  </properties>

In ~/.m2/settings.xml I defined a codesgining profile:

<settings>
  <profiles>
    <profile>
      <id>codesigning</id>
      <properties>
        <keystore.path>/opt/prod/prod.keystore</keystore.path> 
        <keystore.alias>prod</keystore.alias>
        <keystore.type>JKS</keystore.type>
        <keystore.store.password>${keystore.password}</keystore.store.password>
        <keystore.key.password>${keystore.password}</keystore.key.password>
      </properties>
    </profile>
  </profiles>
</settings>

when I want to sign the real certificate I invoke maven with the -Pcodesigning -Dkeystore.password=strongPassword parameters. I also configured the maven-release-plugin to use the codesigning profile.

Actually it is possible to store the password in settings.xml as long as the file is readable by nobody but you.