stevel 2005/03/23 07:06:48
Modified: docs/manual/CoreTasks signjar.html
src/main/org/apache/tools/ant/taskdefs SignJar.java
src/etc/testcases/taskdefs signjar.xml
src/testcases/org/apache/tools/ant/taskdefs SignJarTest.java
. WHATSNEW
Log:
-TSA support, bug 32390
Revision Changes Path
1.21 +27 -0 ant/docs/manual/CoreTasks/signjar.html
Index: signjar.html
===================================================================
RCS file: /home/cvs/ant/docs/manual/CoreTasks/signjar.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- signjar.html 23 Mar 2005 14:09:06 -0000 1.20
+++ signjar.html 23 Mar 2005 15:06:48 -0000 1.21
@@ -113,6 +113,19 @@
time as the original jar files.</td>
<td valign="top" align="center">No; default false.</td>
</tr>
+ <tr>
+ <td valign="top">tsaurl</td>
+ <td valign="top">URL for a timestamp authority for timestamped
+ JAR files in Java1.5+</td>
+ <td valign="top" align="center">No</td>
+ </tr>
+ <tr>
+ <td valign="top">tsacert</td>
+ <td valign="top">alias in the keystore for a timestamp authority for
+ timestamped JAR files in Java1.5+</td>
+ <td valign="top" align="center">No</td>
+ </tr>
+
</table>
<h3>Parameters as nested elements</h3>
<table border="1" cellpadding="2" cellspacing="0">
@@ -141,6 +154,20 @@
signs the ant.jar with alias "apache-group" accessing the
keystore and private key via "secret" password.
</p>
+
+<h3>About timestamp signing</h3>
+
+<p>
+Timestamped JAR files are a new feature in Java1.5; a feature supported in
Ant since
+Ant 1.7. Ant does not yet support proxy setup for this singing process, and
+the whole TSA feature is not tested yet. Furthermore, the
+<a
href="http://java.sun.com/j2se/1.5.0/docs/guide/security/time-of-signing-beta1.html";>
+official TSA documentation</a>
+warns that the API is subject to change. If a future version of Java changes
the
+API, Ant will break. It may be possible to hide changes if and when they
occur,
+but this can not be guaranteed.
+</p>
+
<hr>
<p align="center">Copyright © 2000-2005 The Apache Software Foundation.
All rights
Reserved.</p>
1.51 +88 -2 ant/src/main/org/apache/tools/ant/taskdefs/SignJar.java
Index: SignJar.java
===================================================================
RCS file: /home/cvs/ant/src/main/org/apache/tools/ant/taskdefs/SignJar.java,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- SignJar.java 23 Mar 2005 14:09:06 -0000 1.50
+++ SignJar.java 23 Mar 2005 15:06:48 -0000 1.51
@@ -41,6 +41,10 @@
* exists then its modification date is used as a cue as to whether to resign
* any JAR file.
*
+ * Timestamp driven signing is based on the unstable and inadequately
documented
+ * information in the Java1.5 docs
+ * @see <a
href="http://java.sun.com/j2se/1.5.0/docs/guide/security/time-of-signing-beta1.html";>
+ * beta documentation</a>
* @ant.task category="java"
* @since Ant 1.1
*/
@@ -94,11 +98,23 @@
protected boolean verbose;
/**
- * flag for
+ * flag for internal sf signing
*/
protected boolean internalsf;
+
+ /**
+ * sign sections only?
+ */
protected boolean sectionsonly;
+
+ /**
+ * flag to preserve timestamp on modified files
+ */
private boolean preserveLastModified;
+
+ /**
+ * redirector used to talk to the jarsigner program
+ */
private RedirectorElement redirector;
/**
@@ -128,6 +144,16 @@
private FileNameMapper mapper;
/**
+ * URL for a tsa; null implies no tsa support
+ */
+ protected String tsaurl;
+
+ /**
+ * alias for the TSA in the keystore
+ */
+ protected String tsacert;
+
+ /**
* error string for unit test verification: [EMAIL PROTECTED]
*/
public static final String ERROR_TODIR_AND_SIGNEDJAR
@@ -327,11 +353,51 @@
mapper = newMapper;
}
+ /**
+ * get the active mapper; may be null
+ * @return mapper or null
+ * @since Ant 1.7
+ */
public FileNameMapper getMapper() {
return mapper;
}
/**
+ * get the -tsaurl url
+ * @return url or null
+ * @since Ant 1.7
+ */
+ public String getTsaurl() {
+ return tsaurl;
+ }
+
+ /**
+ *
+ * @param tsaurl
+ * @since Ant 1.7
+ */
+ public void setTsaurl(String tsaurl) {
+ this.tsaurl = tsaurl;
+ }
+
+ /**
+ * get the -tsacert option
+ * @since Ant 1.7
+ * @return a certificate alias or null
+ */
+ public String getTsacert() {
+ return tsacert;
+ }
+
+ /**
+ * set the alias in the keystore of the TSA to use;
+ * @param tsacert
+ */
+ public void setTsacert(String tsacert) {
+ this.tsacert = tsacert;
+ }
+
+ /**
* sign the jar(s)
*
* @throws BuildException on errors
@@ -523,6 +589,9 @@
cmd.createArg().setValue("-sectionsonly");
}
+ //add -tsa operations if declared
+ addTimestampAuthorityCommands(cmd);
+
//JAR source is required
cmd.createArg().setValue(jarSource.getPath());
@@ -545,6 +614,23 @@
}
/**
+ * If the tsa parameters are set, this passes them to the command.
+ * There is no validation of java version, as third party JDKs
+ * may implement this on earlier/later jarsigner implementations.
+ * @param cmd
+ */
+ private void addTimestampAuthorityCommands(final ExecTask cmd) {
+ if(tsaurl!=null) {
+ cmd.createArg().setValue("-tsa");
+ cmd.createArg().setValue(tsaurl);
+ }
+ if (tsacert != null) {
+ cmd.createArg().setValue("-tsacert");
+ cmd.createArg().setValue(tsacert);
+ }
+ }
+
+ /**
* Compare a jar file with its corresponding signed jar. The logic for
this
* is complex, and best explained in the source itself. Essentially if
* either file doesnt exist, or the destfile has an out of date
timestamp,
@@ -559,7 +645,7 @@
*/
protected boolean isUpToDate(File jarFile, File signedjarFile) {
if (null == jarFile && !jarFile.exists()) {
- //these are pathological case, but retained in case somebody
+ //these are pathological cases, but retained in case somebody
//subclassed us.
return false;
}
1.8 +5 -0 ant/src/etc/testcases/taskdefs/signjar.xml
Index: signjar.xml
===================================================================
RCS file: /home/cvs/ant/src/etc/testcases/taskdefs/signjar.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- signjar.xml 23 Mar 2005 14:09:06 -0000 1.7
+++ signjar.xml 23 Mar 2005 15:06:48 -0000 1.8
@@ -5,6 +5,7 @@
<property name="subdir" location="${sign.dir}/subdir" />
<property name="test.jar" location="${sign.dir}/signtest.jar" />
<property name="subdirtest.jar" location="${subdir}/signtest.jar" />
+
<mkdir dir="${sign.dir}" />
<mkdir dir="${subdir}" />
@@ -168,6 +169,10 @@
alias="testonly"
jar="${test.jar}"/>
</target>
+
+ <target name="testTsaLocalhost" depends="jar">
+ <sign tsaurl="http://localhost:0/"; />
+ </target>
</project>
1.11 +8 -2
ant/src/testcases/org/apache/tools/ant/taskdefs/SignJarTest.java
Index: SignJarTest.java
===================================================================
RCS file:
/home/cvs/ant/src/testcases/org/apache/tools/ant/taskdefs/SignJarTest.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- SignJarTest.java 23 Mar 2005 14:09:06 -0000 1.10
+++ SignJarTest.java 23 Mar 2005 15:06:48 -0000 1.11
@@ -143,7 +143,13 @@
public void testNoStorePass() {
expectBuildExceptionContaining("testNoStorePass",
- "no files",
+ "no password",
SignJar.ERROR_NO_STOREPASS);
}
- }
+
+ public void testTsaLocalhost() {
+ expectBuildException("testTsaLocalhost",
+ "no TSA at localhost:0");
+ assertLogContaining("java.net.ConnectException");
+ }
+}
1.791 +1 -0 ant/WHATSNEW
Index: WHATSNEW
===================================================================
RCS file: /home/cvs/ant/WHATSNEW,v
retrieving revision 1.790
retrieving revision 1.791
diff -u -r1.790 -r1.791
--- WHATSNEW 23 Mar 2005 14:09:06 -0000 1.790
+++ WHATSNEW 23 Mar 2005 15:06:48 -0000 1.791
@@ -151,6 +151,7 @@
-a destDir attribute with the appropriate dependency logic, which
can be used with the jar attribute or nested filesets
-a mapper to permit filename remapping on signing
+ -tsaurl and tsacert attributes for timestamped JAR signing
Changes from Ant 1.6.2 to current Ant 1.6 CVS version
=====================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
