sigstore:jarsign

Full name:

io.github.hboutemy:sigstore-maven-plugin:1.0.0-beta-3:jarsign

Description:

Goal which:
  • generates ephemeral key pair
  • gets OIDC token and associated email
  • requests code signing certificate from sigstore Fulcio
  • signs the JAR file (with jarsigner)
  • publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor

Attributes:

  • Requires a Maven project to be executed.
  • The goal is not marked as thread-safe and thus does not support parallel builds.
  • Binds by default to the lifecycle phase: package.

Required Parameters

Name Type Since Description
<fulcioInstanceURL> URL - URL of Fulcio instance
Default value is: https://fulcio.sigstore.dev.
User property is: fulcio-instance-url.
<oidcAuthURL> URL - URL of OIDC Identity Provider Authorization endpoint
Default value is: https://oauth2.sigstore.dev/auth/auth.
User property is: oidc-auth-url.
<oidcClientID> String - Client ID for OIDC Identity Provider
Default value is: sigstore.
User property is: oidc-client-id.
<oidcDeviceCodeFlow> boolean - Use browser-less OAuth Device Code flow instead of opening local browser
Default value is: false.
User property is: oidc-device-code.
<oidcDeviceCodeURL> URL - URL of OIDC Identity Provider Device Code endpoint
Default value is: https://oauth2.sigstore.dev/auth/device/code.
User property is: oidc-device-code-url.
<oidcTokenURL> URL - URL of OIDC Identity Provider Token endpoint
Default value is: https://oauth2.sigstore.dev/auth/token.
User property is: oidc-token-url.
<outputSigningCert> File - Location of the code signing certificate (including public key) used to verify signature
Default value is: ${project.build.directory}/signingCert.pem.
User property is: output-signing-cert.
<rekorInstanceURL> URL - URL of Rekor instance
Default value is: https://rekor.sigstore.dev.
User property is: rekor-instance-url.
<signerName> String - Signing algorithm to be used; default is ECDSA
Default value is: sigstore.
User property is: signer-name.
<signingAlgorithm> String - Signing algorithm to be used; default is ECDSA
Default value is: EC.
User property is: signing-algorithm.
<signingAlgorithmSpec> String - Signing algorithm specification to be used; default is secp256r1
Default value is: secp256r1.
User property is: signing-algorithm-spec.
<sslVerfication> boolean - Enable/disable SSL hostname verification
Default value is: true.
User property is: ssl-verification.
<tsaURL> URL - URL of Trusted Timestamp Authority (RFC3161 compliant)
Default value is: https://rekor.sigstore.dev/api/v1/timestamp.
User property is: tsa-url.

Optional Parameters

Name Type Since Description
<emailAddress> String - Email address of signer; if not specified, the email address returned in the OIDC identity token will be used
User property is: email-address.
<inputJar> File - Location of the input JAR file. defaults to default project artifact
User property is: input-jar.
<outputSignedJar> File - Location of the jarsigner-signed JAR file; defaults to overwriting the input file with the signed JAR
User property is: output-signed-jar.

Parameter Details

<emailAddress>

Email address of signer; if not specified, the email address returned in the OIDC identity token will be used
  • Type: java.lang.String
  • Required: No
  • User Property: email-address

<fulcioInstanceURL>

URL of Fulcio instance
  • Type: java.net.URL
  • Required: Yes
  • User Property: fulcio-instance-url
  • Default: https://fulcio.sigstore.dev

<inputJar>

Location of the input JAR file. defaults to default project artifact
  • Type: java.io.File
  • Required: No
  • User Property: input-jar

<oidcAuthURL>

URL of OIDC Identity Provider Authorization endpoint
  • Type: java.net.URL
  • Required: Yes
  • User Property: oidc-auth-url
  • Default: https://oauth2.sigstore.dev/auth/auth

<oidcClientID>

Client ID for OIDC Identity Provider
  • Type: java.lang.String
  • Required: Yes
  • User Property: oidc-client-id
  • Default: sigstore

<oidcDeviceCodeFlow>

Use browser-less OAuth Device Code flow instead of opening local browser
  • Type: boolean
  • Required: Yes
  • User Property: oidc-device-code
  • Default: false

<oidcDeviceCodeURL>

URL of OIDC Identity Provider Device Code endpoint
  • Type: java.net.URL
  • Required: Yes
  • User Property: oidc-device-code-url
  • Default: https://oauth2.sigstore.dev/auth/device/code

<oidcTokenURL>

URL of OIDC Identity Provider Token endpoint
  • Type: java.net.URL
  • Required: Yes
  • User Property: oidc-token-url
  • Default: https://oauth2.sigstore.dev/auth/token

<outputSignedJar>

Location of the jarsigner-signed JAR file; defaults to overwriting the input file with the signed JAR
  • Type: java.io.File
  • Required: No
  • User Property: output-signed-jar

<outputSigningCert>

Location of the code signing certificate (including public key) used to verify signature
  • Type: java.io.File
  • Required: Yes
  • User Property: output-signing-cert
  • Default: ${project.build.directory}/signingCert.pem

<rekorInstanceURL>

URL of Rekor instance
  • Type: java.net.URL
  • Required: Yes
  • User Property: rekor-instance-url
  • Default: https://rekor.sigstore.dev

<signerName>

Signing algorithm to be used; default is ECDSA
  • Type: java.lang.String
  • Required: Yes
  • User Property: signer-name
  • Default: sigstore

<signingAlgorithm>

Signing algorithm to be used; default is ECDSA
  • Type: java.lang.String
  • Required: Yes
  • User Property: signing-algorithm
  • Default: EC

<signingAlgorithmSpec>

Signing algorithm specification to be used; default is secp256r1
  • Type: java.lang.String
  • Required: Yes
  • User Property: signing-algorithm-spec
  • Default: secp256r1

<sslVerfication>

Enable/disable SSL hostname verification
  • Type: boolean
  • Required: Yes
  • User Property: ssl-verification
  • Default: true

<tsaURL>

URL of Trusted Timestamp Authority (RFC3161 compliant)
  • Type: java.net.URL
  • Required: Yes
  • User Property: tsa-url
  • Default: https://rekor.sigstore.dev/api/v1/timestamp