This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 4826a29 Integrate JSign for cross-platform builds with signed Windows
binaries
4826a29 is described below
commit 4826a2958c353d0e67fd95836daebd3ce1580966
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 9 17:36:25 2021 +0100
Integrate JSign for cross-platform builds with signed Windows binaries
Big thanks due to ebourg
---
build.properties.default | 18 ++++++++++++--
build.xml | 59 +++++++++++++++++++++++++++++-----------------
webapps/docs/changelog.xml | 4 ++++
3 files changed, 57 insertions(+), 24 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 53ad4e3..a549ff2 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -76,9 +76,11 @@ org.apache.tomcat.util.net.NioSelectorShared=true
gpg.exec=/path/to/gpg
# Code signing of Windows installer
+# See https://infra.apache.org/digicert-use.html for setup instructions
do.codesigning=false
-codesigning.exec=signtool.exe
-codesigning.certificate.thumbprint=5a606116432aba614c246d15e792f9e4bcf19cbf
+codesigning.pkcs11properties=${user.home}/.digicertone/pkcs11properties.cfg
+codesigning.alias=Tomcat-PMC-key-2021-04
+codesigning.digest=SHA-512
# ----- Settings to use when downloading files -----
trydownload.httpusecaches=true
@@ -291,3 +293,15 @@
findbugs.checksum.value=8c54502a8e1b78ea6b173a186ce6f379|95114d9aaeeba7bd4ea5a3d
findbugs.home=${base.path}/spotbugs-${findbugs.version}
findbugs.jar=${findbugs.home}/lib/spotbugs-ant.jar
findbugs.loc=${base-maven.loc}/com/github/spotbugs/spotbugs/${findbugs.version}/spotbugs-${findbugs.version}.tgz
+
+# ----- JSign, version 3.1 or later -----
+jsign.version=3.1
+
+# checksums for JSign 3.1
+jsign.checksum.enable=true
+jsign.checksum.algorithm=MD5|SHA-1
+jsign.checksum.value=ed924fc86b7abe1dfe22fd8fd7e4c417|5736035f64805b2760a41ebc1ff11523f666f2c7
+
+jsign.home=${base.path}/jsign-${jsign.version}
+jsign.jar=${jsign.home}/jsign-${jsign.version}.jar
+jsign.loc=${base-maven.loc}/net/jsign/jsign/${jsign.version}/jsign-${jsign.version}.jar
diff --git a/build.xml b/build.xml
index 0ad4be1..777081a 100644
--- a/build.xml
+++ b/build.xml
@@ -2285,18 +2285,15 @@ skip.installer property in build.properties" />
</target>
<target name="-installer-sign-uninstaller"
- unless="skip.installer" depends="-installer-create-uninstaller"
+ unless="skip.installer"
depends="-installer-create-uninstaller,setup-jsign"
if="${do.codesigning}">
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.dist}/Uninstall.exe"/>
- </exec>
+ <jsign file="${tomcat.dist}/Uninstall.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
</target>
<target name="-installer" unless="skip.installer"
@@ -2318,17 +2315,14 @@ skip.installer property in build.properties" />
<target name="installer-sign"
description="Builds and optionally signs the Windows installer"
- depends="-installer" if="${do.codesigning}" >
- <exec executable="${codesigning.exec}" failonerror="true">
- <arg value="sign"/>
- <arg value="/sha1"/>
- <arg value="${codesigning.certificate.thumbprint}"/>
- <arg value="/fd"/>
- <arg value="sha512"/>
- <arg value="/tr"/>
- <arg value="http://timestamp.digicert.com"/>
- <arg value="${tomcat.release}/v${version}/bin/${final.name}.exe"/>
- </exec>
+ depends="-installer,setup-jsign" if="${do.codesigning}" >
+ <jsign file="${tomcat.release}/v${version}/bin/${final.name}.exe"
+ keystore="${codesigning.pkcs11properties}"
+ storepass="NONE"
+ storetype="PKCS11"
+ alias="${codesigning.alias}"
+ alg="${codesigning.digest}"
+ tsaurl="http://timestamp.digicert.com"/>
<!-- .exe has changed so need to redo checksums and OpenPGP signature -->
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.asc" />
<delete file="${tomcat.release}/v${version}/bin/${final.name}.exe.sha512"
/>
@@ -3351,6 +3345,27 @@ Read the Building page on the Apache Tomcat
documentation site for details on ho
<!-- ======================= Macros, Taskdefs etc ========================
-->
+ <target name="download-jsign" >
+ <!-- Download jsign -->
+ <antcall target="downloadfile">
+ <param name="sourcefile" value="${jsign.loc}"/>
+ <param name="destfile" value="${jsign.jar}"/>
+ <param name="destdir" value="${jsign.home}"/>
+ <param name="checksum.enabled" value="${jsign.checksum.enabled}"/>
+ <param name="checksum.algorithm" value="${jsign.checksum.algorithm}"/>
+ <param name="checksum.value" value="${jsign.checksum.value}"/>
+ </antcall>
+ </target>
+
+ <target name="setup-jsign" depends="download-jsign">
+ <!-- Add jsign tasks to project -->
+ <path id="jsign.classpath">
+ <fileset file="${jsign.jar}" />
+ </path>
+
+ <taskdef name="jsign" classname="net.jsign.JsignTask"
classpathref="jsign.classpath" />
+ </target>
+
<macrodef name="jarIt" description="utility macro for standard JAR
packaging">
<attribute name="jarfile"
description="the name of the JAR file to create"/>
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c338159..fde4dd6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -284,6 +284,10 @@
Update the packaged version of the Tomcat Native Library to 1.2.30.
Also
update the minimum recommended version to 1.2.30. (markt)
</update>
+ <add>
+ Use JSign to integrate the build script with the code signing service
to
+ enable release builds to be created on Linux as well as Windows.
(markt)
+ </add>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
