Add a facility for code-signing the IzPack Jar

chakl · Jun 7, 2020 · 918d6f1 · 918d6f1
1 parent 263a80f
commit 918d6f1
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 5 deletions.
diff --git a/exist-installer/pom.xml b/exist-installer/pom.xml
@@ -151,4 +151,39 @@
 
         </plugins>
     </build>
+
+    <profiles>
+        <profile>
+            <id>codesign-izpack-jar</id>
+            <activation>
+                <property>
+                    <name>izpack-signing</name>
+                    <value>true</value>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-jarsigner-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>sign-izpack-jar</id>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                                <configuration>
+                                    <keystore>${existdb.release.keystore}</keystore>
+                                    <storepass>${existdb.release.keystore.pass}</storepass>
+                                    <alias>${existdb.release.keystore.key.alias}</alias>
+                                    <keypass>${existdb.release.keystore.key.pass}</keypass>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
 </project>
diff --git a/exist-parent/pom.xml b/exist-parent/pom.xml
@@ -593,6 +593,11 @@
                         </additionalJOptions>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-jarsigner-plugin</artifactId>
+                    <version>3.0.0</version>
+                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>

diff --git a/exist-versioning-release.md b/exist-versioning-release.md
@@ -117,6 +117,7 @@ You will require a system with:
 * Docker
 * GnuPG
 * A GPG key (for signing release artifacts)
+* A Java KeyStore with key (for signing IzPack Installer)
 * A valid Apple Developer Certificate (for signing Mac DMG)
 
 1. You will need login credentials for the eXist-db organisation on:
@@ -156,17 +157,22 @@ You will require a system with:
     </settings>
     ```
 
-2. You will need your GPG key credentials for signing the release artifacts in the `<activeProfiles`> section on your machine in your local `~/.m2/settings.xml` file, e.g.:
+2. You will need your GPG Key and Java KeyStore credentials for signing the release artifacts in the `<activeProfiles`> section on your machine in your local `~/.m2/settings.xml` file, e.g.:
     ```xml
     <profiles>
    
        <profile>
-           <id>existdb-release-key</id>
+           <id>existdb-release-signing</id>
            <properties>
                <existdb.release.key>ABC1234</existdb.release.key>
                <existdb.release.public-keyfile>${user.home}/.gnupg/pubring.gpg</existdb.release.public-keyfile>
                <existdb.release.private-keyfile>${user.home}/.gnupg/secring.gpg</existdb.release.private-keyfile>
                <existdb.release.key.passphrase>your-password</existdb.release.key.passphrase>
+   
+               <existdb.release.keystore>${user.home}/your.store</existdb.release.keystore>
+               <existdb.release.keystore.pass>your-keystore-password</existdb.release.keystore.pass>
+               <existdb.release.keystore.key.alias>your-alias</existdb.release.keystore.key.alias>
+               <existdb.release.keystore.key.pass>your-key-password</existdb.release.keystore.key.pass>
            </properties>
        </profile>
    
@@ -175,7 +181,7 @@ You will require a system with:
 
     <activeProfiles>
    
-           <activeProfile>existdb-release-key</activeProfile>
+           <activeProfile>existdb-release-signing</activeProfile>
    
     </activeProfiles>
     ```
@@ -186,7 +192,7 @@ You will require a system with:
 
 5.  Prepare the release, if you wish you can do a dry-run first by specifiying `-DdryRun=true`:
     ```
-    $ mvn -Ddocker=true -Dmac-signing=true -Darguments="-Ddocker=true -Dmac-signing=true" release:prepare
+    $ mvn -Ddocker=true -Dmac-signing=true -Dizpack-signing=true -Darguments="-Ddocker=true -Dmac-signing=true -Dizpack-signing=true" release:prepare
     ```
     
     Maven will start the release process and prompt you for any information that it requires, for example:
@@ -206,7 +212,7 @@ You will require a system with:
 6.  Once the prepare process completes you can perform the release. This will upload Maven Artifacts to Maven
 Central (staging), Docker images to Docker Hub, and eXist-db distributions and installer to BinTray:
     ```
-    $ mvn -Ddocker=true -Dmac-signing=true -Darguments="-Ddocker=true -Dmac-signing=true" release:perform
+    $ mvn -Ddocker=true -Dmac-signing=true -Djarsigner.skip=false -Darguments="-Ddocker=true -Dmac-signing=true -Djarsigner.skip=false" release:perform
     ```
 
 7.  Update the stable branch (`master`) of eXist-db to reflect the latest release: