sigstore:jarsign
Full name:
io.github.hboutemy:sigstore-maven-plugin:1.0.0-beta-3:jarsign
Description:
Goal which:
- generates ephemeral key pair
- gets OIDC token and associated email
- requests code signing certificate from sigstore Fulcio
- signs the JAR file (with
jarsigner
) - publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor
Attributes:
- Requires a Maven project to be executed.
- The goal is not marked as thread-safe and thus does not support parallel builds.
- Binds by default to the lifecycle phase:
package
.
Required Parameters
Name | Type | Since | Description |
---|---|---|---|
<fulcioInstanceURL> |
URL |
- |
URL of Fulcio instance Default value is: https://fulcio.sigstore.dev .User property is: fulcio-instance-url . |
<oidcAuthURL> |
URL |
- |
URL of OIDC Identity Provider Authorization endpoint Default value is: https://oauth2.sigstore.dev/auth/auth .User property is: oidc-auth-url . |
<oidcClientID> |
String |
- |
Client ID for OIDC Identity Provider Default value is: sigstore .User property is: oidc-client-id . |
<oidcDeviceCodeFlow> |
boolean |
- |
Use browser-less OAuth Device Code flow instead of opening local
browser Default value is: false .User property is: oidc-device-code . |
<oidcDeviceCodeURL> |
URL |
- |
URL of OIDC Identity Provider Device Code endpoint Default value is: https://oauth2.sigstore.dev/auth/device/code .User property is: oidc-device-code-url . |
<oidcTokenURL> |
URL |
- |
URL of OIDC Identity Provider Token endpoint Default value is: https://oauth2.sigstore.dev/auth/token .User property is: oidc-token-url . |
<outputSigningCert> |
File |
- |
Location of the code signing certificate (including public key)
used to verify signature Default value is: ${project.build.directory}/signingCert.pem .User property is: output-signing-cert . |
<rekorInstanceURL> |
URL |
- |
URL of Rekor instance Default value is: https://rekor.sigstore.dev .User property is: rekor-instance-url . |
<signerName> |
String |
- |
Signing algorithm to be used; default is ECDSA Default value is: sigstore .User property is: signer-name . |
<signingAlgorithm> |
String |
- |
Signing algorithm to be used; default is ECDSA Default value is: EC .User property is: signing-algorithm . |
<signingAlgorithmSpec> |
String |
- |
Signing algorithm specification to be used; default is secp256r1 Default value is: secp256r1 .User property is: signing-algorithm-spec . |
<sslVerfication> |
boolean |
- |
Enable/disable SSL hostname verification Default value is: true .User property is: ssl-verification . |
<tsaURL> |
URL |
- |
URL of Trusted Timestamp Authority (RFC3161 compliant) Default value is: https://rekor.sigstore.dev/api/v1/timestamp .User property is: tsa-url . |
Optional Parameters
Name | Type | Since | Description |
---|---|---|---|
<emailAddress> |
String |
- |
Email address of signer; if not specified, the email address
returned in the OIDC identity token will be used User property is: email-address . |
<inputJar> |
File |
- |
Location of the input JAR file. defaults to default project
artifact User property is: input-jar . |
<outputSignedJar> |
File |
- |
Location of the jarsigner -signed JAR file; defaults to
overwriting the input file with the signed JARUser property is: output-signed-jar . |
Parameter Details
<emailAddress>
Email address of signer; if not specified, the email address
returned in the OIDC identity token will be used
- Type:
java.lang.String
- Required:
No
- User Property:
email-address
<fulcioInstanceURL>
URL of Fulcio instance
- Type:
java.net.URL
- Required:
Yes
- User Property:
fulcio-instance-url
- Default:
https://fulcio.sigstore.dev
<inputJar>
Location of the input JAR file. defaults to default project
artifact
- Type:
java.io.File
- Required:
No
- User Property:
input-jar
<oidcAuthURL>
URL of OIDC Identity Provider Authorization endpoint
- Type:
java.net.URL
- Required:
Yes
- User Property:
oidc-auth-url
- Default:
https://oauth2.sigstore.dev/auth/auth
<oidcClientID>
Client ID for OIDC Identity Provider
- Type:
java.lang.String
- Required:
Yes
- User Property:
oidc-client-id
- Default:
sigstore
<oidcDeviceCodeFlow>
Use browser-less OAuth Device Code flow instead of opening local
browser
- Type:
boolean
- Required:
Yes
- User Property:
oidc-device-code
- Default:
false
<oidcDeviceCodeURL>
URL of OIDC Identity Provider Device Code endpoint
- Type:
java.net.URL
- Required:
Yes
- User Property:
oidc-device-code-url
- Default:
https://oauth2.sigstore.dev/auth/device/code
<oidcTokenURL>
URL of OIDC Identity Provider Token endpoint
- Type:
java.net.URL
- Required:
Yes
- User Property:
oidc-token-url
- Default:
https://oauth2.sigstore.dev/auth/token
<outputSignedJar>
Location of the
jarsigner
-signed JAR file; defaults to
overwriting the input file with the signed JAR- Type:
java.io.File
- Required:
No
- User Property:
output-signed-jar
<outputSigningCert>
Location of the code signing certificate (including public key)
used to verify signature
- Type:
java.io.File
- Required:
Yes
- User Property:
output-signing-cert
- Default:
${project.build.directory}/signingCert.pem
<rekorInstanceURL>
URL of Rekor instance
- Type:
java.net.URL
- Required:
Yes
- User Property:
rekor-instance-url
- Default:
https://rekor.sigstore.dev
<signerName>
Signing algorithm to be used; default is ECDSA
- Type:
java.lang.String
- Required:
Yes
- User Property:
signer-name
- Default:
sigstore
<signingAlgorithm>
Signing algorithm to be used; default is ECDSA
- Type:
java.lang.String
- Required:
Yes
- User Property:
signing-algorithm
- Default:
EC
<signingAlgorithmSpec>
Signing algorithm specification to be used; default is secp256r1
- Type:
java.lang.String
- Required:
Yes
- User Property:
signing-algorithm-spec
- Default:
secp256r1
<sslVerfication>
Enable/disable SSL hostname verification
- Type:
boolean
- Required:
Yes
- User Property:
ssl-verification
- Default:
true
<tsaURL>
URL of Trusted Timestamp Authority (RFC3161 compliant)
- Type:
java.net.URL
- Required:
Yes
- User Property:
tsa-url
- Default:
https://rekor.sigstore.dev/api/v1/timestamp