[oXygen-sdk] Signing plugins for use with an add-on site

Nigel Whitaker nigel.whitaker at deltaxml.com
Wed Mar 6 03:06:45 CST 2013 

Hi Alex & George,

Thanks for the help - I've now out it working.

I did try an earlier experiment using jar/jarsigner, but for a reason I 
can't remember, I used a ".zip" file extension.  It looks like this 
extension causes the add-on manager to say that the add-on is unsigned.  
I changed the extension to ".jar" and updated xt:location/@href and it 
was reported as signed.

I've used a timestamp server when signing, I can see the signing time 
reported with "jarsigner -verify -certs -verbose", but not in the add-on 
manager, hope that's OK?

It may help someone coming across this thread in future - here is our 
(ant) signing target (we've an InstantSSL/Comodo certificate):

   <target name="sign-addon" depends="addon-jar">
     <mkdir dir="${build.addon.signed.dir}"/>
     <signjar alias="deltaxml limited's comodo ca limited id"
       signedjar="${build.addon.signed.jar}" 
jar="${build.addon.unsigned.jar}"
       storepass="********" tsaurl="http://timestamp.comodoca.com/rfc3161"
       keystore="${ULD}/auth/deltaxml-codesigning.jks" />
   </target>

The .jks store was loaded from the .p12 file we got from the certificate 
authority, the JDK 1.6 keytool can do the conversion.


Thanks,

Nigel




On 05/03/2013 09:41, oXygen XML Editor Support wrote:
> Hi Nigel,
>
> I'll revise the documentation to make it clear that if you want to 
> sign the add-on you should pack it as a jar archive and if you don't 
> intend to sign it you can just pack it as a zip instead.
>
> So just pack the add-on as a jar archive. Seeing that you already have 
> a certificate signed by a trusted authority, you can just use the 
> jarsigner command line tool inside the JDK 
> ({JDK_install_dir}/bin/jarsigner.exe) or the ANT signjar task (which 
> is just a front for the jarsigner tool).
>
> Best Regards,
> Alex
> -- 
> Alex Jitianu
> <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
> http://www.oxygenxml.com
>
> On 04-Mar-13 5:33 PM, George Cristian Bina wrote:
>> Hi Nigel,
>>
>> You should pack the plugin itself as a jar instead of zip and sign that.
>>
>> Best Regards,
>> George
>> -- 
>> George Cristian Bina
>> <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
>> http://www.oxygenxml.com
>>
>> On 3/4/13 5:30 PM, Nigel Whitaker wrote:
>>> Hello,
>>>
>>> We've been experimenting with an add-on site and have got things 
>>> working
>>> apart from the code signing.
>>>
>>> We've watched the video
>>> (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it 
>>> suggests
>>> that it's the .zip file rather than the .jar which is signed? (There's
>>> a screen at 4:00 mins with: "2:  Digitally sign the archive")
>>>
>>> I've tried using google to research signing zip files but it's leading
>>> me to signing systems for Android applications (usually running on 
>>> Android).
>>>
>>> Do you have any hints/suggestions for signing?  (We've got codesigning
>>> key/certificates in .cert, .p12, .pem formats and in a Java keystore).
>>>
>>> Thanks,
>>>
>>> Nigel
>>>
>> _______________________________________________
>> oXygen-sdk mailing list
>> oXygen-sdk at oxygenxml.com
>> http://www.oxygenxml.com/mailman/listinfo/oxygen-sdk
>>
>


-- 
Nigel Whitaker, Software Architect, DeltaXML Ltd. "Experts in information change"
nigel.whitaker at deltaxml.com   http://www.deltaxml.com   +44 1684 869035
Registered in England: 02528681 Reg. Office: Monsell House, WR8 0QN, UK

More information about the oXygen-sdk mailing list