...
The recommended approach from Digicert is leveraging the custom PKCS#11 implementation with the maven-jarsigner-plugin
for automating the JAR signing process: https://docs.digicert.com/deen/digicertsoftware-one/securetrust-software-manager/cisigning-cd-integrations/maven-integration-with-pkcs11tools/sign-java-files-with-jarsigner-using-pkcs11-integration.html. (ASF INFRA also has some recommendations at https://infra.apache.org/digicert-use.html, but those are primarily targeted at signing Windows applications at the moment).
...
All secrets were created by INFRA in the context of
Jira | ||||||
---|---|---|---|---|---|---|
|
These are
Integration in Tycho P2 Repository Build
...
- The provided PKCS#11 library from https://one.digicert.com/signingmanager/client-tools/smpkcs11-mac-x64 is not suitable for usage on Apple Silicon (aarch64). jarsigner then emits:
jarsigner error: java.security.ProviderException: Initialization failed
- Version 1.32.0 fixes this as it comes with a dylib for both architectures X86-64 and ARM64
- The provided PKCS#11 library crashes with a segfault on X86-64 executed with Rosetta 2 on Apple Silicon when calling jarsigner.
...
- This is only an issue with Java 19 or newer. Older versions should work fine.
Migration to GPG Signatures
...