This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new f2091bf Integrate JSign for cross-platform builds with signed Windows
binaries
f2091bf is described below
commit f2091bf8b027fefb4a82f26cdba6a806d19301e3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 9 17:36:25 2021 +0100
Integrate JSign for cross-platform builds with signed Windows binaries
Big thanks due to ebourg
---
build.properties.default | 18 ++++++++++++--
build.xml | 59 +++++++++++++++++++++++++++++-----------------
webapps/docs/changelog.xml | 8 +++++++
3 files changed, 61 insertions(+), 24 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 7838db8..2667fdf 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -77,9 +77,11 @@ org.apache.tomcat.util.net.NioSelectorShared=true
gpg.exec=/path/to/gpg
# Code signing of Windows installer
+# See https://infra.apache.org/digicert-use.html for setup instructions
do.codesigning=false
-codesigning.exec=signtool.exe
-codesigning.certificate.thumbprint=5a606116432aba614c246d15e792f9e4bcf19cbf
+codesigning.pkcs11properties=${user.home}/.digicertone/pkcs11properties.cfg
+codesigning.alias=Tomcat-PMC-key-2021-04
+codesigning.digest=SHA-512
# ----- Settings to use when downloading files -----
trydownload.httpusecaches=true
@@ -311,3 +313,15 @@
osgi-annotations.checksum.value=153054f987534244f95a399539b11375|b6e802bceba0682
osgi-annotations.home=${base.path}/osgi-annotations-${osgi-annotations.version}
osgi-annotations.jar=${osgi-annotations.home}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar
osgi-annotations.loc=${base-maven.loc}/org/osgi/org.osgi.annotation.bundle/${osgi-annotations.version}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar
+
+# ----- JSign, version 3.1 or later -----
+jsign.version=3.1
+
+# checksums for JSign 3.1
+jsign.checksum.enable=true
+jsign.checksum.algorithm=MD5|SHA-1
+jsign.checksum.value=ed924fc86b7abe1dfe22fd8fd7e4c417|5736035f64805b2760a41ebc1ff11523f666f2c7
+
+jsign.home=${base.path}/jsign-${jsign.version}
+jsign.jar=${jsign.home}/jsign-${jsign.version}.jar
+jsign.loc=${base-maven.loc}/net/jsign/jsign/${jsign.version}/jsign-${jsign.version}.jar
diff --git a/build.xml b/build.xml
index d1eb1c2..32c59ef 100644
--- a/build.xml
+++ b/build.xml
@@ -2604,18 +2604,15 @@ skip.installer property in build.properties" />
</target>
<target name="-installer-sign-uninstaller"
- unless="skip.installer" depends="-installer-create-uninstaller"
+ unless="skip.installer"
depends="-installer-create-uninstaller,setup-jsign"
if="${do.codesigning}">
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.dist}/Uninstall.exe"/>
- </exec>
+ <jsign file="${tomcat.dist}/Uninstall.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
</target>
<target name="-installer" unless="skip.installer"
@@ -2637,17 +2634,14 @@ skip.installer property in build.properties" />
<target name="installer-sign"
description="Builds and optionally signs the Windows installer"
- depends="-installer" if="${do.codesigning}" >
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.release}/v${version}/bin/${final.name}.exe"/>
- </exec>
+ depends="-installer,setup-jsign" if="${do.codesigning}" >
+ <jsign file="${tomcat.release}/v${version}/bin/${final.name}.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
<!-- .exe has changed so need to redo checksums and OpenPGP signature -->
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.asc" />
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.sha512"
/>
@@ -3689,6 +3683,27 @@ Read the Building page on the Apache Tomcat
documentation site for details on ho
<!-- ======================= Macros, Taskdefs etc ========================
-->
+ <target name="download-jsign" >
+ <!-- Download jsign -->
+ <antcall target="downloadfile">
+ <param name="sourcefile" value="${jsign.loc}"/>
+ <param name="destfile" value="${jsign.jar}"/>
+ <param name="destdir" value="${jsign.home}"/>
+ <param name="checksum.enabled" value="${jsign.checksum.enabled}"/>
+ <param name="checksum.algorithm" value="${jsign.checksum.algorithm}"/>
+ <param name="checksum.value" value="${jsign.checksum.value}"/>
+ </antcall>
+ </target>
+
+ <target name="setup-jsign" depends="download-jsign">
+ <!-- Add jsign tasks to project -->
+ <path id="jsign.classpath">
+ <fileset file="${jsign.jar}" />
+ </path>
+
+ <taskdef name="jsign" classname="net.jsign.JsignTask"
classpathref="jsign.classpath" />
+ </target>
+
<target name="download-bnd" >
<!-- Download bnd -->
<antcall target="downloadfile">
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9671b9e..745ed84 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,14 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Other">
+ <changelog>
+ <add>
+ Use JSign to integrate the build script with the code signing service
to
+ enable release builds to be created on Linux as well as Windows.
(markt)
+ </add>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.47 (remm)" rtext="not released">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
