How to sign multiple JNLP application using Maven
Question
We use JNLP application for my business. Actual use requires manual signing jars for each release. This certainly leads to having different certificates, expired certificates and so on ..
We POC'ed maven to automatically sign an application with Maven Jarsigner Plugin.
Now, what is the best approach to industrialize such process ? I'd like to have the certificate shared among all applications instead of recreating one everytime.
In particular:
Is it correct to have a certificate for a bunch of corporate applications, or shall I consider having one per application ?
Can we imagine to store certificate(s) as dependencies (under business repo) and have both dev and release certificates fetched uppon build ? Say dev cert for local build and release certificate for release.
What are the flaws of such use ?
Is there any other/better solution ?
Thanks for your answers.
1 answers
solution1
0 ACCPTED 2013-05-14 07:06:31
There are many ways to solve the problem, so I can only share my thoughts on the subject.
a) I would assume different releases would be on different branches, so in essence we only deal with one release version at a time
b) I then assume per version, that you have different certificates per environment. The per environment part can be handled using maven profiles ( http://maven.apache.org/guides/introduction/introduction-to-profiles.html ), so...
Whether to have multiple or a single certificate is a matter of preference. Since it provides the level of trust between any given user and the given app it is essentially a judgment of risk versus maintainability. Risk, in that multiple apps with the same certificate gives higher exposure, also to malign exposure, and any breach of one is a breach of all. So it may be important what the certificates guard.. Maintainability in that all apps follow the same update cycle, and that a change to one means a change to all.
So, the coupling is a bit higher, risk is harder and maintenance is simpler.. If you were global enterprise Acme Inc risk is probably higher than if you were local enterprise Icme Inc. and would it be other peoples data or money that would probably invite the safest option available.
I see no reason why certificates cannot be stored. Either in repository or some other safe repo or simply lying around. What is more interesting may be the private keys, which you can specify as properties and have the dev ones bound it the dev profile and the release ones omitted, so you would have to provide them on the command line.
Assuming you use maven jarsigner plugin, you could have ${my.keypass} and ${my.keystore}, and then the dev profile with both properties set, and the release profile with only keystore set.
Last time I used certificates in a similar manner I had: - a set of individual components - In a single repository - Which could be build as a single complete entity.
So sharing the certificates was an easy takeaway. All certificates except final prod was in sourcecode repository Certificate for releases was on a secure server, where we had a batch process which only a few had access to.
As for security compromises.. I don't think we ever encountered one, but we were prepared :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.