Skip to content

Commit

Permalink
SignServer documentation (#252)
Browse files Browse the repository at this point in the history
  • Loading branch information
ebourg committed Nov 13, 2024
1 parent bc1bedd commit 3040bb1
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 3 deletions.
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/
* [GaraSign](https://garantir.io/garasign/)
* [Google Cloud KMS](https://cloud.google.com/security-key-management)
* [HashiCorp Vault](https://www.vaultproject.io/)
* [Keyfactor SignServer](https://www.signserver.org)
* [Oracle Cloud KMS](https://www.oracle.com/security/cloud-security/key-management/)
* [SSL.com eSigner](https://www.ssl.com/esigner/)
* Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not
Expand All @@ -54,7 +55,12 @@ See https://ebourg.github.io/jsign for more information.

#### Version 7.0 (in development)

* New signing services: HashiCorp Vault Transit (contributed by Eatay Mizrachi), Azure Trusted Signing, Oracle Cloud and GaraSign
* New signing services:
* Azure Trusted Signing
* Oracle Cloud
* GaraSign
* HashiCorp Vault Transit (contributed by Eatay Mizrachi)
* Keyfactor SignServer (contributed by Björn Kautler)
* Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
* Commands have been added:
* `timestamp`: timestamps the signatures of a file
Expand Down
40 changes: 40 additions & 0 deletions docs/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ <h3 id="features">Features</h3>
<li><a href="https://garantir.io/garasign/">GaraSign</a></li>
<li><a href="https://cloud.google.com/security-key-management">Google Cloud KMS</a></li>
<li><a href="https://www.vaultproject.io">HashiCorp Vault</a></li>
<li><a href="https://www.signserver.org">Keyfactor SignServer</a></li>
<li><a href="https://www.oracle.com/security/cloud-security/key-management/">Oracle Cloud KMS</a></li>
<li><a href="https://www.ssl.com/esigner/">SSL.com eSigner</a></li>
</ul>
Expand Down Expand Up @@ -228,6 +229,7 @@ <h4 id="attributes" class="mobile-only">Attributes</h4>
<li><code>GOOGLECLOUD</code>: Google Cloud KMS</li>
<li><code>HASHICORPVAULT</code>: HashiCorp Vault</li>
<li><code>ORACLECLOUD</code>: Oracle Cloud Key Management Service</li>
<li><code>SIGNSERVER</code>: Keyfactor SignServer</li>
<li><code>TRUSTEDSIGNING</code>: Azure Trusted Signing</li>
</ul>
</td>
Expand Down Expand Up @@ -549,6 +551,7 @@ <h3 id="cli">Command Line Tool</h3>
- GOOGLECLOUD: Google Cloud KMS
- HASHICORPVAULT: HashiCorp Vault
- ORACLECLOUD: Oracle Cloud Key Management Service
- SIGNSERVER: Keyfactor SignServer
- TRUSTEDSIGNING: Azure Trusted Signing
-a,--alias &lt;NAME> The alias of the certificate used for signing in the keystore
--keypass &lt;PASSWORD> The password of the private key. When using a keystore,
Expand Down Expand Up @@ -880,6 +883,43 @@ <h4 id="example-hashicorpvault">Signing with HashiCorp Vault</h4>
--certfile full-chain.pem application.exe
</pre>


<h4 id="example-signserver">Signing with Keyfactor SignServer</h4>

<p><a href="https://www.signserver.org">SignServer</a> is an on-premises open source signing service developed by Keyfactor.
SignServer supports various signing operations handled by signer workers. Jsign requires a
<a href="https://doc.primekey.com/signserver/signserver-reference/signserver-workers/signserver-signers/plain-signer">Plain Signer</a>
worker configured with the <code>CLIENTSIDEHASHING</code> or <code>ALLOW_CLIENTSIDEHASHING_OVERRIDE</code> properties
set to <code>true</code>, and the <code>SIGNATUREALGORITHM</code> property set to <code>NONEwithRSA</code> or
<code>NONEwithECDSA</code>.</p>

<p>The authentication is performed by specifying the username/password or the TLS client certificate in the
<code>storepass</code> parameter. If the TLS client certificate is stored in a password protected keystore, the password
is specified in the <code>keypass</code> parameter. The <code>keystore</code> parameter references the URL of the
SignServer REST API. The <code>alias</code> parameter specifies the id or the name of the worker. </p>

<p>Authenticating with a username and a password:</p>

<pre>
jsign --storetype SIGNSERVER \
--keystore https://example.com/signserver \
--storepass "&lt;username&gt;|&lt;password&gt;" \
--alias test \
application.exe
</pre>

<p>Authenticating with a TLS client certificate:</p>

<pre>
jsign --storetype SIGNSERVER \
--keystore https://example.com/signserver \
--storepass "/path/to/client-certificate.p12" \
--keypass &lt;client-certificate-password&gt; \
--alias test \
application.exe
</pre>


<h4 id="example-oraclecloud">Signing with Oracle Cloud Key Management Service</h4>

<p>Signing with the Oracle Cloud Infrastructure Key Management Service requires the
Expand Down
1 change: 1 addition & 0 deletions jsign-cli/src/main/java/net/jsign/JsignCLI.java
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ public static void main(String... args) {
+ "- GOOGLECLOUD: Google Cloud KMS\n"
+ "- HASHICORPVAULT: HashiCorp Vault\n"
+ "- ORACLECLOUD: Oracle Cloud Key Management Service\n"
+ "- SIGNSERVER: Keyfactor SignServer\n"
+ "- TRUSTEDSIGNING: Azure Trusted Signing\n").build());
options.addOption(Option.builder("a").hasArg().longOpt(PARAM_ALIAS).argName("NAME").desc("The alias of the certificate used for signing in the keystore").build());
options.addOption(Option.builder().hasArg().longOpt(PARAM_KEYPASS).argName("PASSWORD").desc("The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password").build());
Expand Down
2 changes: 1 addition & 1 deletion jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ public class JsignMojo extends AbstractMojo {

/**
* The type of the keystore (JKS, JCEKS, PKCS12, PKCS11, ETOKEN, NITROKEY, OPENPGP, OPENSC, PIV, YUBIKEY, AWS,
* AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD or TRUSTEDSIGNING).
* AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD, SIGNSERVER or TRUSTEDSIGNING).
*/
@Parameter( property = "jsign.storetype" )
private String storetype;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ _jsign()
return 0
;;
--storetype)
COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) )
COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD SIGNSERVER TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) )
return 0
;;
--storepass|-a|--alias|--keypass|-t|--tsaurl|-r|--tsretries|-w|--tsretrywait|-n|--name|-u|--url|--proxyUrl|--proxyUser|--proxyPass|--value)
Expand Down
2 changes: 2 additions & 0 deletions jsign/src/deb/data/usr/share/man/man1/jsign.1
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,8 @@ Cloud key management systems:
.br
- ORACLECLOUD : Oracle Cloud Key Management Service
.br
- SIGNSERVER : Keyfactor SignServer
.br
- TRUSTEDSIGNING: Azure Trusted Signing

This option is not required for file based keystores (JKS, JCEKS and PKCS12).
Expand Down

0 comments on commit 3040bb1

Please sign in to comment.