| Summary: | PDE Plug-in Export Wizard stores JAR-signing password in clear text | ||
|---|---|---|---|
| Product: | [Eclipse Project] PDE | Reporter: | Torkild Resheim <torkildr> |
| Component: | UI | Assignee: | Martin Karpisek <martin.karpisek> |
| Status: | VERIFIED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | P3 | CC: | curtis.windatt.public, daniel_megert, eclipse.sprigogin, martin.karpisek, Michael_Rennie, Vikas.Chandra |
| Version: | 4.2 | Keywords: | helpwanted |
| Target Milestone: | 4.7 M6 | Flags: | Vikas.Chandra:
review+
|
| Hardware: | PC | ||
| OS: | All | ||
| See Also: |
https://git.eclipse.org/r/82322 https://git.eclipse.org/c/pde/eclipse.pde.ui.git/commit/?id=5f9e983029986ccf0bef85d0afcc8e0798462277 |
||
| Whiteboard: | |||
| Bug Depends on: | 511250 | ||
| Bug Blocks: | |||
|
Description
Torkild Resheim
This sounds like a reasonable request, but there isn't enough committer time to work on it. It is more common for builds to be done headlessly, not from the UI. A quick fix would be to no longer store the keypass and the password and let the user enter it each time. Patch for review was submitted to gerrit (is using equinox secure storage) https://git.eclipse.org/r/82322 C:\Users\IBM_ADMIN\workspace_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:93: The following error occurred while executing this line: C:\Users\IBM_ADMIN\workspace_6nov_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:111: The following error occurred while executing this line: C:\Users\IBM_ADMIN\workspace_6nov_\.metadata\.plugins\org.eclipse.pde.core\temp\org.eclipse.pde.container.feature\assemble.org.eclipse.pde.container.feature.win32.win32.x86_64.xml:68: The jarsigner could not be found. Make sure to run with the build with a JDK. at org.apache.tools.ant.ProjectHelper.addLocationToBuildException(ProjectHelper.java:568) at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:443) at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105) Whenever I try to use password, it gives me this error with or without the patch. Any sure-shot way to export with password without causing this issue? attaching test steps i used for development and verification (should work always - with or without patch, tested with oracle JDK 1.8.0_101, windows7, Oxygen (4.7) Build id: I20161130-2000) i think error is caused by somehow missing jarsigner binary in JRE -- TEST STEPS Prerequisites: JAVA_HOME is JDK installation containing both jarsigner.exe (present only in JDK) and keytool.exe (i think present for both JDK or JRE) Steps: 0) generate test keystore which will be used for signing (named test.keystore, with password testpwd): %JAVA_HOME%/bin/keytool -genkey -keystore test.keystore -storepass testpwd -keypass testpwd -keyalg RSA -alias test -dname "CN=test-cn , OU=Test-ou, O=test-org, L=test-loc , ST=test-state, C=test-county" 1) create new plugin project named plugin1 (default parameters, empty plugin without code) 2) export plugin using export wizard 2.1) Export... > Deployable plugins and features 2.2) select plugin1 for export 2.3) define directory for export (same directory where is generated test.keystore) 2.4) on Tab Jar signing enable "Sign jar archives using keystore" and enter: keystore location = absolute path to our test.keystore keypass=testpwd alias=test password=testpwd 2.5) finish - run export 3) verify export plugin results 3.1) there should be new plugin in subdirectory of export directory in plugins/plugin1_1.0.0.201612012231.jar (for example) 3.2) verify jar is signed %JAVA_HOME%/bin/jarsigner -verify -verbose -certs -keystore test.keystore plugins/plugin1_1.0.0.201612012236.jar Expected result is someting like: s k 189 Thu Dec 01 22:36:04 CET 2016 META-INF/MANIFEST.MF X.509, CN=test-cn, OU=Test-ou, O=test-org, L=test-loc, ST=test-state, C=test-county (test) [certificate will expire on 1.3.2017 22:17] 230 Thu Dec 01 22:36:04 CET 2016 META-INF/TEST.SF 1397 Thu Dec 01 22:36:04 CET 2016 META-INF/TEST.RSA 0 Thu Dec 01 22:36:06 CET 2016 META-INF/ s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. -- Thanks Martin, I am able to export a plugin with jar signing password. The fix works fine and now the password is no longer shown. I will test some more and commit it later today ( if I don't find anything in testing). Gerrit change https://git.eclipse.org/r/82322 was merged to [master]. Commit: http://git.eclipse.org/c/pde/eclipse.pde.ui.git/commit/?id=5f9e983029986ccf0bef85d0afcc8e0798462277 Thanks Martin ! Martin, can you please verify this fix in latest 4.7 eclipse? verified in Version: Oxygen (4.7) Build id: I20161205-2000 The change caused bug 511250. This was already verified on Version: Oxygen (4.7) Build id: I20161205-2000 |