#72 Use certificate chain for signing connectors

exasol · Dec 12, 2023 · 7dedecf · 7dedecf
1 parent a909e7b
commit 7dedecf
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 20 deletions.
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -12,16 +12,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: 20
-
-      - name: Cache npm files
-        uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: "javascript-test/package-lock.json"
 
       - name: Run JavaScript tests
         run: |
@@ -39,12 +34,17 @@ jobs:
           path: target/exasol_*.taco
 
       - name: Retrieve code signing certificate
-        run: echo $CODE_SIGNING_CERTIFICATE_BASE64 | base64 --decode > target/cert.pfx
+        run: echo $CODE_SIGNING_CERTIFICATE_BASE64 | base64 --decode > target/cert.p12
         env:
           CODE_SIGNING_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGNING_CERTIFICATE_BASE64 }}
 
+      - name: Retrieve code signing certificate chain
+        run: echo $CODE_SIGNING_CERTIFICATE_CHAIN_BASE64 | base64 --decode > target/cert_chain.p7b
+        env:
+          CODE_SIGNING_CERTIFICATE_CHAIN_BASE64: ${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN_BASE64 }}
+
       - name: Sign connectors
-        run: ./tools/sign_connector.sh target/cert.pfx
+        run: ./tools/sign_connector.sh target/cert.p12 target/cert_chain.p7b
         env:
           CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
 
@@ -55,7 +55,7 @@ jobs:
           path: target/tableau-exasol-connector-*.taco
 
       - name: Set up JDK 11
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: 11

diff --git a/tools/sign_connector.sh b/tools/sign_connector.sh
@@ -9,19 +9,29 @@ timestamp_authority_server="http://timestamp.sectigo.com"
 key_alias="1"
 
 if [[ -z "${1+x}" ]] ; then
-    echo "Path to keystore not specifified. Usage:"
-    echo "  $0 </path/to/keystore>"
+    echo "ERROR: Path to .p12 keystore not specifified. Usage:"
+    echo "  $0 </path/to/keystore.p12> </path/to/cert-chain.p7b>"
     exit 1
 fi
-
-keystore="$1"
-
+readonly keystore="$1"
 if [[ ! -f "$keystore" ]] ; then
-    echo "Keystore file does not exist: $keystore"
+    echo "ERROR: Keystore file does not exist: $keystore"
+    exit 1
+fi
+
+if [[ -z "${2+x}" ]] ; then
+    echo "ERROR: Path to .p7b certificate chain not specifified. Usage:"
+    echo "  $0 </path/to/keystore.p12> </path/to/cert-chain.p7b>"
+    exit 1
+fi
+readonly cert_chain="$2"
+if [[ ! -f "$cert_chain" ]] ; then
+    echo "ERROR: Certificate chain file does not exist: $cert_chain"
     exit 1
 fi
 
-echo "Signing JDBC and ODBC connectors using keystore $keystore"
+echo "Using keystore $keystore"
+echo "Using certificate chain $cert_chain"
 
 storepass=${CODE_SIGNING_CERTIFICATE_PASSWORD-}
 
@@ -55,7 +65,9 @@ sign_jar() {
 
     echo "Signing connector $jar_file"
     jarsigner "$jar_file" $key_alias \
-      -keystore "$keystore" -storepass "$storepass" \
+      -keystore "$keystore" \
+      -storepass "$storepass" \
+      -certchain "$cert_chain" \
       -signedjar "$signed_jar" \
       -tsa "$timestamp_authority_server" \
       -strict