Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 387565

Summary: PDE Plug-in Export Wizard stores JAR-signing password in clear text
Product: [Eclipse Project] PDE Reporter: Torkild Resheim <torkildr>
Component: UIAssignee: Martin Karpisek <martin.karpisek>
Status: VERIFIED FIXED QA Contact:
Severity: major    
Priority: P3 CC: curtis.windatt.public, daniel_megert, eclipse.sprigogin, martin.karpisek, Michael_Rennie, Vikas.Chandra
Version: 4.2Keywords: helpwanted
Target Milestone: 4.7 M6Flags: Vikas.Chandra: review+
Hardware: PC   
OS: All   
See Also: https://git.eclipse.org/r/82322
https://git.eclipse.org/c/pde/eclipse.pde.ui.git/commit/?id=5f9e983029986ccf0bef85d0afcc8e0798462277
Whiteboard:
Bug Depends on: 511250    
Bug Blocks:    

Description Torkild Resheim CLA 2012-08-20 03:41:04 EDT 
The wizard in **Export > Deployable Plug-ins and Fragments** stores the keystore password in clear text. This is a fairly major problem as confidential information is exposed. The password is stored in <workspace>/.metadata/.plugins/org.eclipse.pde.ui/dialog_settings.xml

<section name="PluginExportWizard">
  ...
  <item value="asdfasdf" key="password"/>
  <item value="asdfasdf" key="keypass"/>
  ...
</section>

We would be pretty much better off if Equinox Secure Storage was used instead.
Comment 1 Curtis Windatt CLA 2012-09-04 13:03:59 EDT 
This sounds like a reasonable request, but there isn't enough committer time to work on it.  It is more common for builds to be done headlessly, not from the UI.
Comment 2 Dani Megert CLA 2012-09-05 05:42:14 EDT 
A quick fix would be to no longer store the keypass and the password and let the user enter it each time.
Comment 3 Martin Karpisek CLA 2016-10-02 06:12:14 EDT 
Patch for review was submitted to gerrit (is using equinox secure storage) https://git.eclipse.org/r/82322
Comment 4 Vikas Chandra CLA 2016-12-01 01:45:37 EST 
C:\Users\IBM_ADMIN\workspace_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:93: The following error occurred while executing this line:
C:\Users\IBM_ADMIN\workspace_6nov_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:111: The following error occurred while executing this line:
C:\Users\IBM_ADMIN\workspace_6nov_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:68: The jarsigner could not be found. Make sure to run with the build with a JDK.
	at org.apache.tools.ant.ProjectHelper.addLocationToBuildException(ProjectHelper.java:568)
	at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:443)
	at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105)


Whenever I try to use password, it gives me this error with or without the patch.
Any sure-shot way to export with password without causing this issue?
Comment 5 Martin Karpisek CLA 2016-12-01 17:51:07 EST 
attaching test steps i used for development and verification
(should work always - with or without patch, tested with oracle JDK 1.8.0_101, windows7, Oxygen (4.7) Build id: I20161130-2000)
i think error is caused by somehow missing jarsigner binary in JRE
 
--
TEST STEPS
Prerequisites:
JAVA_HOME is JDK installation containing both jarsigner.exe (present only in JDK) and keytool.exe (i think present for both JDK or JRE)

Steps:
0) generate test keystore which will be used for signing (named test.keystore, with password testpwd):
	%JAVA_HOME%/bin/keytool -genkey -keystore test.keystore -storepass testpwd -keypass testpwd -keyalg RSA -alias test -dname "CN=test-cn , OU=Test-ou, O=test-org, L=test-loc , ST=test-state, C=test-county"
1) create new plugin project named plugin1 (default parameters, empty plugin without code)
2) export plugin using export wizard 
2.1) Export... > Deployable plugins and features
2.2) select plugin1 for export
2.3) define directory for export (same directory where is generated test.keystore)
2.4) on Tab Jar signing enable "Sign jar archives using keystore" and enter:
	keystore location = absolute path to our test.keystore
	keypass=testpwd
	alias=test
	password=testpwd
2.5) finish - run export
3) verify export plugin results
3.1) there should be new plugin in subdirectory of export directory in plugins/plugin1_1.0.0.201612012231.jar (for example)
3.2) verify jar is signed
	%JAVA_HOME%/bin/jarsigner -verify -verbose -certs -keystore test.keystore plugins/plugin1_1.0.0.201612012236.jar

Expected result is someting like:
	s k      189 Thu Dec 01 22:36:04 CET 2016 META-INF/MANIFEST.MF

		  X.509, CN=test-cn, OU=Test-ou, O=test-org, L=test-loc, ST=test-state, C=test-county (test)
		  [certificate will expire on 1.3.2017 22:17]

			 230 Thu Dec 01 22:36:04 CET 2016 META-INF/TEST.SF
			1397 Thu Dec 01 22:36:04 CET 2016 META-INF/TEST.RSA
			   0 Thu Dec 01 22:36:06 CET 2016 META-INF/

	  s = signature was verified
	  m = entry is listed in manifest
	  k = at least one certificate was found in keystore
	  i = at least one certificate was found in identity scope

	jar verified.
--
Comment 6 Vikas Chandra CLA 2016-12-02 04:20:45 EST 
Thanks Martin, I am able to export a plugin with jar signing password.
Comment 7 Vikas Chandra CLA 2016-12-02 04:28:24 EST 
The fix works fine and now the password is no longer shown.

I will test some more and commit it later today ( if I don't find anything in testing).
Comment 9 Vikas Chandra CLA 2016-12-02 11:39:51 EST 
Thanks Martin !
Comment 10 Vikas Chandra CLA 2016-12-05 04:22:16 EST 
Martin, can you please verify this fix in latest 4.7 eclipse?
Comment 11 Martin Karpisek CLA 2016-12-06 15:13:39 EST 
verified in 
Version: Oxygen (4.7)
Build id: I20161205-2000
Comment 12 Sergey Prigogin CLA 2017-01-30 20:27:34 EST 
The change caused bug 511250.
Comment 13 Vikas Chandra CLA 2017-03-07 09:51:03 EST 
This was already verified on
Version: Oxygen (4.7)
Build id: I20161205-2000