[
https://issues.apache.org/jira/browse/MJARSIGNER-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17874731#comment-17874731
]
Slawomir Jaranowski commented on MJARSIGNER-74:
-----------------------------------------------
[~schedin]
jarsigner was released and updates in MJARSIGNER-77
Now you can use it in plugin
> Allow usage of multiple Time Stamping Authority (TSA) servers
> -------------------------------------------------------------
>
> Key: MJARSIGNER-74
> URL: https://issues.apache.org/jira/browse/MJARSIGNER-74
> Project: Maven Jar Signer Plugin
> Issue Type: New Feature
> Affects Versions: 3.0.0
> Reporter: Lennart Schedin
> Priority: Minor
>
> h3. Background
> A Timestamping Authority (TSA) server is used to add a timestamp to the
> digital signature. This timestamp indicates when the code was signed and
> helps prevent issues that may arise if a certificate used for code signing
> expires.
> The jarsigner command has 4 parameters relating to TSA (see
> [https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html):]
> 1. {{-tsa url}}
> 2. {{-tsacert alias}}
> 3. {{-tsapolicyid policyid}}
> 4. {{-tsadigestalg algorithm}}
> The maven-jarsigner-plugin currently has support to set {{-tsa}} and
> {{-tsacert}} (the same goes for the library JarSignerSignRequest in the
> [https://github.com/apache/maven-jarsigner] project).
> h3. Feature requested
> Allow usage of multiple TSA servers when signing. This could be useful for:
> 1. Better stability if one TSA server is down.
> 2. Better stability if a TSA server has imposed a rate-limit when signing
> many jar files at the same time.
> This feature has both been suggested by Thorsten Meinl as a patch to
> [https://issues.apache.org/jira/projects/MJARSIGNER/issues/MJARSIGNER-59] and
> also by @jcompagner in
> [https://github.com/apache/maven-jarsigner-plugin/pull/1#issuecomment-1412344998].
> But since those suggestions were not tied to a direct ticket, I felt it
> would be good to collect their feature requests as a separate dedicated
> ticket.
> h3. Implementation suggestions
> I don’t plan to implement this feature myself. But since I have analyzed the
> issue, I can give my suggestions on how to implement it:
> # The {{-tsapolicyid}} parameter is currently missing in the maven-jarsigner
> project. Consider adding support for this while implementing this ticket.
> # Since {{{}-tsa{}}}, {{{}-tsacert{}}}, {{-tsapolicyid}} all belong
> together, I would recommend making a list of all 3.
> # If the user specifies 3 tsa URLs but only 1 tsacert it gets a bit tricky.
> The easiest way to handle this is to use validateParameters() (see
> [https://github.com/apache/maven-jarsigner-plugin/pull/13/]) and throw a
> MojoExecutionException if this happens.
> # I recommend using a comma as separator for the items in the list. This way
> it would be possible to change the data type from String to String[] and
> Maven will itself handle the splitting on the comma (if using the command
> format) or mangling of nested XML tags into a String[] (if using nested XML
> format). Thus, the JarsignerSignMojo would not need to do any String
> splitting.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
