tags:

views:

191

answers:

2
+5  Q: 

Code Signing as part of the build process

I'd like to understand some of the best practices with respect to code signing. We have an Eclipse-based application and think it would be appropriate to sign our plug-ins. This raised a lot of questions:

  • Can/Should the private key be in source control?

  • Should we sign the code as part of our nightly build process or as part of our release process?

  • Should the code be signed automatically, or is there a reason why that should be a manual step?

My inclination is to say, "Yes", "Nightly", and "Automatically", but I could see an argument for only signing the release products. I might even make the argument that SQA should sign the code after they have verified it, although that would really mess with our release process.

How do other people manage this?

+7  A: 

It depends on how secure you want your private key to be, it might not be something that you want a temporary employee with source access to have full access to.

At my work, we do the following:

"Test sign" binaries as part of our daily builds with a checked in key. This requires a test root certificate to be on machines in order to trust the binaries, but they will not be trusted if the bits are deployed outside the company.

Weekly (and for external releases), we sign with the real key. This is done via a separate, somewhat manual process. Only a few people have access to the key to sign the product.

Michael  2009-08-25 17:39:30
+3  A: 

I can tell you how I've see this being done in a big corp. Individual developers could build the code, but they could not sign it. That would be a private build. Contiguos integration machine would drop nightly builds signed with a key stored on the build machine keystore, which would be a test key signed by a corporate certificate authority (ie. a key trusted only within the corp). The official build could be signed only by controlled machines with the official, global trusted authority signed, signature key stored in hardware modules in controled access room.

The idea is that a private key should realy have only one copy in the world (at most one extra for escrow). The whole value of the key is derived from its privacy, not from anything else. The moment is available to your entire org, is as good as putting it out on pirate bay.

Remus Rusanu  2009-08-25 17:42:03

related questions

Is the Open Source Jalopy Eclipse plugin compatible with Ganymede?
How to run Eclipse launch configurations programmatically?
Is there a good JSP editor for Eclipse?
Running External Apps on save in Eclipse
what is the hibernate tools plugin for eclipse update site url?
subclipse alternative
Eclipse fonts and background color
Need help writing a custom BuildListener
Using .NET's UserControl as an embedded control via COM
Programmatically showing a View from an Eclipse Plug-in
JUnit Eclipse plugin source-code?
Looking for up-to-date eclipse plugin for C#
Eclipse: Dependency Management
Integrate StackOverflow into IDEs?
better eclipse browser?
When exactly plugin.xml files from dependencies of my plugin are loaded ?
Is there a way to get jadclipse working with Eclipse 3.4?
What's the difference between Subclipse Get Contents and Get Revision?
Is there a plugin in Eclipse for applying tags to files ?
What is the single best free Eclipse plugin for a Java developer
Is there an integrated Eclipse plugin to debug Jython?
How do I get my Disciplines to appear in published Site (in EPF Composer 1.5)?
How do I delete a Discipline in EPF Composer 1.5?
How to export findbugs results from Eclipse findbugs plugin?
How to reference javadocs to dependencies in Maven's eclipse plugin when javadoc not attached to dependency