[oXygen-sdk] Signing plugins for use with an add-on site

Wed Mar 6 03:26:08 CST 2013

Hi Nigel,

We're just not presenting the signing time... Not an issue but I'll take 
another look and see what other information we can present about the 
signature.

Best Regards,
Alex
-- 
Alex Jitianu
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com

On 06-Mar-13 11:06 AM, Nigel Whitaker wrote:
> Hi Alex & George,
>
> Thanks for the help - I've now out it working.
>
> I did try an earlier experiment using jar/jarsigner, but for a reason I
> can't remember, I used a ".zip" file extension.  It looks like this
> extension causes the add-on manager to say that the add-on is unsigned.
> I changed the extension to ".jar" and updated xt:location/@href and it
> was reported as signed.
>
> I've used a timestamp server when signing, I can see the signing time
> reported with "jarsigner -verify -certs -verbose", but not in the add-on
> manager, hope that's OK?
>
> It may help someone coming across this thread in future - here is our
> (ant) signing target (we've an InstantSSL/Comodo certificate):
>
>     <target name="sign-addon" depends="addon-jar">
>       <mkdir dir="${build.addon.signed.dir}"/>
>       <signjar alias="deltaxml limited's comodo ca limited id"
>         signedjar="${build.addon.signed.jar}"
> jar="${build.addon.unsigned.jar}"
>         storepass="********" tsaurl="http://timestamp.comodoca.com/rfc3161"
>         keystore="${ULD}/auth/deltaxml-codesigning.jks" />
>     </target>
>
> The .jks store was loaded from the .p12 file we got from the certificate
> authority, the JDK 1.6 keytool can do the conversion.
>
>
> Thanks,
>
> Nigel
>
>
>
>
> On 05/03/2013 09:41, oXygen XML Editor Support wrote:
>> Hi Nigel,
>>
>> I'll revise the documentation to make it clear that if you want to
>> sign the add-on you should pack it as a jar archive and if you don't
>> intend to sign it you can just pack it as a zip instead.
>>
>> So just pack the add-on as a jar archive. Seeing that you already have
>> a certificate signed by a trusted authority, you can just use the
>> jarsigner command line tool inside the JDK
>> ({JDK_install_dir}/bin/jarsigner.exe) or the ANT signjar task (which
>> is just a front for the jarsigner tool).
>>
>> Best Regards,
>> Alex
>> -- 
>> Alex Jitianu
>> <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
>> http://www.oxygenxml.com
>>
>> On 04-Mar-13 5:33 PM, George Cristian Bina wrote:
>>> Hi Nigel,
>>>
>>> You should pack the plugin itself as a jar instead of zip and sign that.
>>>
>>> Best Regards,
>>> George
>>> -- 
>>> George Cristian Bina
>>> <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
>>> http://www.oxygenxml.com
>>>
>>> On 3/4/13 5:30 PM, Nigel Whitaker wrote:
>>>> Hello,
>>>>
>>>> We've been experimenting with an add-on site and have got things
>>>> working
>>>> apart from the code signing.
>>>>
>>>> We've watched the video
>>>> (http://www.oxygenxml.com/demo/AddonsSupport.html) and think it
>>>> suggests
>>>> that it's the .zip file rather than the .jar which is signed? (There's
>>>> a screen at 4:00 mins with: "2:  Digitally sign the archive")
>>>>
>>>> I've tried using google to research signing zip files but it's leading
>>>> me to signing systems for Android applications (usually running on
>>>> Android).
>>>>
>>>> Do you have any hints/suggestions for signing?  (We've got codesigning
>>>> key/certificates in .cert, .p12, .pem formats and in a Java keystore).
>>>>
>>>> Thanks,
>>>>
>>>> Nigel
>>>>
>>> _______________________________________________
>>> oXygen-sdk mailing list
>>> oXygen-sdk at oxygenxml.com
>>> http://www.oxygenxml.com/mailman/listinfo/oxygen-sdk
>>>
>