jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

Signing with Digicert One expects a security-settings.xml file

Open schuster1337 opened this issue 1 year ago • 2 comments

Due to CodeSigning structure changes we now use DigiCert Keylocker for code signing. Now i have to adjust all code signing build steps for our pipeline. I am fairly new to Maven but somehow have to make it work.

I use GitLab CI and have provided my project with the needed credentials for DigiCert (DIGICERT_CODESIGN_APIKEY and DIGICERT_CODESIGN_PW). I execute the maven command with additional parameter to get the variables from Gitlab right into the pom.xml:

MAVEN_EXTRA_ARGS: clean install -Dapikey=$DIGICERT_CODESIGN_APIKEY -Dcodesignpw=$DIGICERT_CODESIGN_PW

My configuration of jsign in the root pom.xml:

                 <plugin>
                    <groupId>net.jsign</groupId>
                    <artifactId>jsign-maven-plugin</artifactId>
                    <version>7.0</version>
                    <configuration>
                        <url>http://connect.cgm.com</url>
                        <storetype>DIGICERTONE</storetype>
                        <alias>${alis}</alias>
                        <storepass>${apikey}|${project.base.dir}/signing/Certificate_pkcs12.p12|${codesignpw}</storepass>
                        <tsaurl>http://timestamp.digicert.com</tsaurl>
                        <tsretries>3</tsretries>
                        <tsretrywait>15</tsretrywait>
                    </configuration>
                </plugin>

The configuration in the project pom.xml:

                    <execution>
                        <id>sign .exe</id>
                        <phase>package</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                        <configuration combine.children="append">
                            <file>${project.build.directory}/path/to.exe</file>
                        </configuration>
                    </execution>

The job fails wit the following error:

[ERROR] Failed to execute goal net.jsign:jsign-maven-plugin:7.0:sign (sign my.exe) on project SmartUpdate-standalone: error using security dispatcher: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /root/.m2/settings-security.xml (No such file or directory) -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal net.jsign:jsign-maven-plugin:7.0:sign (sign my.exe) on project my-project: error using security dispatcher: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /root/.m2/settings-security.xml (No such file or directory)

But the password for codesinging is right there in the call. What exactly am I doing wrong here?

schuster1337 avatar Jan 27 '25 08:01 schuster1337

Did you get a stacktrace? If not add the -X parameter when invoking Maven.

ebourg avatar Jan 27 '25 09:01 ebourg

This looks more like a Maven configuration issue than a Jsign issue. I guess that your ~/.m2/settings.xmlfile contains an encrypted key, and the master key required to decrypt it can't be found because the file ~/.m2/settings-security.xml doesn't exist.

ebourg avatar Jan 27 '25 09:01 ebourg