Creating a keystore for plugin signing the easy way

Previously when creating keystores for plugin signing I’ve used a lot of dark magic, crying at the moon and a custom tool I wrote called KeystoreUtil to convert between different formats. The other day I was doing a consulting gig on plugin signing and came up with an easier way just using iKeyman and the Java tooling. I created a presentation with the various commands and screenshots and put it on Slideshare.

Hope it will help someone.

BAT-files (yup – you heard right!) to sign an entire update site

Digitally signing an Eclipse update after the fact (i.e. it’s not part of the build) can be tedious and time consuming. To make the process easier I wrote two small BAT-files that does the recursive signing of all plugin and feature JAR-files for you. Just stick the two BAT-files (signall.bat and dosign.bat) in the root Eclipse update site directory (together with site.xml) and invoke signall.bat.

signall.bat <keystore path> <keystore password> <certificate alias from keystore>

signall.bat mykeystore changeit signer_key


@echo off
set jdkhome=%JAVA_HOME%
for /f %%a IN ('dir /b /s *.jar') do call dosign.bat %1 %2 %3 %%a
set jdkhome=


@echo off
echo Signing: %4
%jdkhome%binjarsigner.exe -keystore %1 -storepass %2 %4 %3

Signed demo plugin on OpenNTF

Today Niklas Heidloff tweeted about a new demo Java extension that have been published on OpenNTF. Besides being a very nice demo example it also has another noticeable difference from all other Java extensions that have been published so far. The difference is small although very important. The difference is that it’s digitally signed!

When installing Java extensions in Notes you have probably grown used to the “Are you really, really, really, really sure you want to install this unsigned Java extension in your Notes client”-prompt. Without thinking you probably click “Yes” out of habit which is why you may not remember the prompt. If you install this Java extension you wont see this prompt because it’s signed by a certificate you trust (it’s an IBM certificate).

Using jarsigner -verify -verbose -certs on the feature will yield something like this:

[entry was signed on 01-11-09 04:05]
X.509, CN=International Business Machines Corporation,
OU=Lotus Software Group, OU=Digital ID Class 3 - Java
Object Signing, O=International Business Machines
Corporation, L=Westford, ST=Massachusetts, C=US

The difference is small but very important. You did notice it didn’t prompt you right?