Google Git
Sign in
apache / netbeans-website / 44443f9641a4bc18331d3d9c0e0f178c417e52be / . / netbeans.apache.org / src / content / wiki / DevFaqSignNbm.asciidoc
blob: 5e7bdc0badbeb6889f284d01b7f10530843ed5ff [file] [log] [blame]
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
= DevFaqSignNbm
:jbake-type: wiki
:jbake-tags: wiki, devfaq, needsreview
:jbake-status: published
:keywords: Apache NetBeans wiki DevFaqSignNbm
:description: Apache NetBeans wiki DevFaqSignNbm
:toc: left
:toc-title:
:syntax: true
1. link:#Can_I_sign_Ant_based_NBMs_I_create.3F[Can I sign Ant based NBMs I create?]
1. link:#Isn.27t_there_an_easier_way.3F[Isn't there an easier way?]
2. link:#Great.21_Can_you_translate_that.3F[Great! Can you translate that?]
[start=2]
. link:#How_can_I_sign_Maven_based_NBMs_I_create.3F[How can I sign Maven based NBMs I create?]
1. link:#Example[Example]
[start=3]
. link:#How_can_I_create_a_keystore_file_and_sign_Maven_based_NBMs_within_the_build_process.3F[How can I create a keystore file and sign Maven based NBMs within the build process?]
1. link:#Resources[Resources]
[start=4]
. link:#Apache_Migration_Information[Apache Migration Information]
=== Can I sign Ant based NBMs I create?
Yes, though there is not yet any GUI support for this.
1. Make a module project.
[start=2]
. Generate a keystore, e.g.
[source,java]
----
cd .../path/to/module/
keytool -genkey -storepass specialsauce -alias myself -keystore nbproject/private/keystore
----
and answer the questions posed.
To make NetBeans build script sign the NBM module. The keystore and key password needs to be the same.
At keytool, when the question below is asked, just press ENTER key, to make keystore and key alias the same password.
[source,java]
----
Enter key password for <myself>
(RETURN if same as keystore password):
----
[start=3]
. Edit `nbproject/project.properties` to contain e.g.
[source,java]
----
keystore=nbproject/private/keystore
nbm_alias=myself
----
[start=4]
. Edit `nbproject/private/platform-private.properties` to contain e.g.
[source,java]
----
storepass=specialsauce
----
You could also pass `-Dstorepass=specialsauce` on the command line.
If you specify a keystore but `${storepass}` is undefined, you will be prompted for the password during the build.
[start=5]
. Build the NBM for the module. (Context menu of the project.) It should be signed.
[start=6]
. Try installing the NBM. (Expand `build` folder in *Files* view and double-click it.) It will not be trusted initially (and so the checkbox to really install it will initially be unchecked), since NetBeans does not know about your signature. But you can click *View Certificate* to examine the certificate. If you allow installation of this module, NetBeans will remember you approved this certificate and it will not ask you for confirmation next time.
Some notes:
1. You can probably get a root-authorized certificate from VeriSign or the like, and the Auto Update wizard should treat this as more trusted. Not yet investigated (please update this FAQ entry if you experiment with this).
[start=2]
. Keeping the keystore and its password in the `private` dir ensures that you will not accidentally commit either to source repository or include it in a source ZIP made with the Project Packager module. It may be safe to put the keystore in a shared directory (e.g. `nbproject`) if you are sure that the storepass is too hard to guess.
==== Isn't there an easier way?
Of course. Based on the above notes this script has been contributed by our community. Just put this in your suite's build.xml file:
[source,xml]
----
<target name="-init" depends="suite.-init,init-netbeans,init-hudson">
<!--Create/Update keystore-->
<delete file="${keystore.location}${keystore.name}"/>
<mkdir dir="${keystore.location}"/>
<genkey alias="${keystore.alias}" storepass="${keystore.password}"
dname="${keystore.dname}"
keystore="${keystore.location}${keystore.name}"/>
<!--Update keystore info in projects-->
<antcall target="update-keystore-info"/>
</target>
<target name="update-keystore-info">
<for list="${modules}" delimiter=":" param="cur" trim="true">
<sequential>
<mkdir dir="@{cur}/nbproject/"/>
<!--Place the information in the properties file-->
<propertyfile file="@{cur}/nbproject/project.properties">
<entry key="keystore" value="../${keystore.location}${keystore.name}"/>
<entry key="nbm_alias" value="${keystore.alias}"/>
</propertyfile>
<mkdir dir="@{cur}/nbproject/private/"/>
<!--Place the password in the private properties file-->
<propertyfile file="@{cur}/nbproject/private/platform-private.properties">
<entry key="storepass" value="${keystore.password}"/>
</propertyfile>
</sequential>
</for>
</target>
----
The script use ant-contrib library so make sure to have it available.
You can import it using one of the following:
1. If the ant-contrib-x.jar is in ant directory:
[source,xml]
----
<taskdef resource="net/sf/antcontrib/antcontrib.properties"/>
----
[start=2]
. Otherwise:
[source,xml]
----
<taskdef resource="net/sf/antcontrib/antcontrib.properties">
<classpath>
<pathelement location="path/to/ant-contribx.jar"/>
</classpath>
</taskdef>
----
Also you'll need this values defined in your suite's project.properties file:
[source,java]
----
keystore.dname=CN=x, OU=x, O=x, C=x
keystore.location=x/
keystore.name=x
keystore.alias=x
keystore.password=x
----
Just replace x with the desired value.
==== Great! Can you translate that?
Ok, here's a summary:
1. Create a keystore with genkey task.
[start=2]
. Using the defined module list (${modules} this is defined by the IDE itself) go to all your modules and add the keystore location and alias information in its `nbproject/private/platform-private.properties` file.
[start=3]
. Call Netbeans build task so everything keeps going.
Enjoy!
<hr/>
NOTE: If you get an warning about your plugins not being trusted (and you're using self-signed certificates), you need to create and register your own
implementation of `org.netbeans.spi.autoupdate.KeyStoreProvider` which provides access to a truststore into which your self-signed certificate has been imported as a trusted entry. In other words, the keystore (private key) is used at compile time to sign the NBM file, while the truststore (created by exporting the key from the keystore, then importing it into a new store to mark it trusted) is needed at runtime to validate the signature). All of this may not be necessary if you are signing with a certificate issued by a well-known CA.
Applies to: NetBeans 6.8 and above
=== How can I sign Maven based NBMs I create?
Yes. link:https://github.com/mojohaus/nbm-maven-plugin[nbm-maven-plugin] will sign your NBM files if you set keystore, alias and password parameters correctly.
==== Example
1. Create a keystore (see the instructions above)
[start=2]
. Save the keystore file into a directory like `nbproject/private`. Make sure that it will not get committed to VCS like git/svn/hg! Or save it outside of the project. It depends on your preference.
[start=3]
. Update the `nbm-maven-plugin`-configuration in the pom.xml like this
`
[source,xml]
----
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>nbm-maven-plugin</artifactId>
<version>3.11.1</version>
<extensions>true</extensions>
<configuration>
<!-- keep it for backwards compatibility to previous versions-->
<codeNameBase>com.johndoe.netbeans.myplugin</codeNameBase>
<author>JohnDoe (john.doe@mail.foo)</author>
<homePageUrl>link:https://github.com/johndoe/myplugin[https://github.com/johndoe/myplugin]</homePageUrl>
<!-- keystore: only required, if you don't want to pass the path to the keystore file via cmdline-->
<keystore>nbproject/private/keystore</keystore>
<keystorealias>myself</keystorealias>
<licenseName>Apache 2.0</licenseName>
<licenseFile>LICENSE-2.0.txt</licenseFile>
</configuration>
</plugin>
----
`
Update the codeNameBase, keystore and other properties to your needs.
More details about configuring the plugin can be found at the offical plugin page [2]
[start=4]
. Call `mvn clean package nbm:nbm -Dkeystorepass=yourpassword` to build a signed nbm.OR
Call `mvn clean package nbm:nbm -Dkeystorepass=yourpassword -Dkeystore=/path/to/the/keystore.file`, if you want to reference the keystore manually. For more options see [3]
=== How can I create a keystore file and sign Maven based NBMs within the build process?
See that example at
link:https://github.com/born2snipe/netbean-plugin-parent/blob/master/pom.xml[https://github.com/born2snipe/netbean-plugin-parent/blob/master/pom.xml]
to generate a key file via the keytool-maven-plugin.
==== Resources
[1] link:https://github.com/mojohaus/nbm-maven-plugin[https://github.com/mojohaus/nbm-maven-plugin]
[2] link:http://www.mojohaus.org/nbm-maven-plugin/[http://www.mojohaus.org/nbm-maven-plugin/]
[3] link:http://www.mojohaus.org/nbm-maven-plugin/nbm-mojo.html[http://www.mojohaus.org/nbm-maven-plugin/nbm-mojo.html]
=== Apache Migration Information
The content in this page was kindly donated by Oracle Corp. to the
Apache Software Foundation.
This page was exported from link:http://wiki.netbeans.org/DevFaqSignNbm[http://wiki.netbeans.org/DevFaqSignNbm] ,
that was last modified by NetBeans user Markiewb
on 2017-06-10T19:35:58Z.
*NOTE:* This document was automatically converted to the AsciiDoc format on 2018-02-07, and needs to be reviewed.