Can I sign NBMs I create?

Apache NetBeans Wiki Index

Note: These pages are being reviewed.

Can I sign Ant based NBMs I create?

Yes, though there is not yet any GUI support for this.

  1. Make a module project.

  1. Generate a keystore, e.g.

cd .../path/to/module/
keytool -genkey -storepass specialsauce -alias myself -keystore nbproject/private/keystore

and answer the questions posed.

To make NetBeans build script sign the NBM module. The keystore and key password needs to be the same. At keytool, when the question below is asked, just press ENTER key, to make keystore and key alias the same password.

Enter key password for <myself>
  (RETURN if same as keystore password):

  1. Edit nbproject/project.properties to contain e.g.

keystore=nbproject/private/keystore
nbm_alias=myself

  1. Edit nbproject/private/platform-private.properties to contain e.g.

storepass=specialsauce

You could also pass -Dstorepass=specialsauce on the command line. If you specify a keystore but ${storepass} is undefined, you will be prompted for the password during the build.

  1. Build the NBM for the module. (Context menu of the project.) It should be signed.

  1. Try installing the NBM. (Expand build folder in Files view and double-click it.) It will not be trusted initially (and so the checkbox to really install it will initially be unchecked), since NetBeans does not know about your signature. But you can click View Certificate to examine the certificate. If you allow installation of this module, NetBeans will remember you approved this certificate and it will not ask you for confirmation next time.

Some notes:

  1. You can probably get a root-authorized certificate from VeriSign or the like, and the Auto Update wizard should treat this as more trusted. Not yet investigated (please update this FAQ entry if you experiment with this).

  1. Keeping the keystore and its password in the private dir ensures that you will not accidentally commit either to source repository or include it in a source ZIP made with the Project Packager module. It may be safe to put the keystore in a shared directory (e.g. nbproject) if you are sure that the storepass is too hard to guess.

Isn’t there an easier way?

Of course. Based on the above notes this script has been contributed by our community. Just put this in your suite’s build.xml file:

    <target name="-init" depends="suite.-init,init-netbeans,init-hudson">
        <!--Create/Update keystore-->
        <delete file="${keystore.location}${keystore.name}"/>
        <mkdir dir="${keystore.location}"/>
        <genkey alias="${keystore.alias}" storepass="${keystore.password}"
        dname="${keystore.dname}"
        keystore="${keystore.location}${keystore.name}"/>
        <!--Update keystore info in projects-->
        <antcall target="update-keystore-info"/>
    </target>

    <target name="update-keystore-info">
        <for list="${modules}" delimiter=":" param="cur" trim="true">
            <sequential>
                <mkdir dir="@{cur}/nbproject/"/>
                <!--Place the information in the properties file-->
                <propertyfile file="@{cur}/nbproject/project.properties">
                    <entry  key="keystore" value="../${keystore.location}${keystore.name}"/>
                    <entry  key="nbm_alias" value="${keystore.alias}"/>
                </propertyfile>
                <mkdir dir="@{cur}/nbproject/private/"/>
                <!--Place the password in the private properties file-->
                <propertyfile file="@{cur}/nbproject/private/platform-private.properties">
                    <entry  key="storepass" value="${keystore.password}"/>
                </propertyfile>
            </sequential>
        </for>
</target>

The script use ant-contrib library so make sure to have it available.

You can import it using one of the following:

  1. If the ant-contrib-x.jar is in ant directory:

<taskdef resource="net/sf/antcontrib/antcontrib.properties"/>

  1. Otherwise:

        <taskdef resource="net/sf/antcontrib/antcontrib.properties">
            <classpath>
                <pathelement location="path/to/ant-contribx.jar"/>
            </classpath>
        </taskdef>

Also you’ll need this values defined in your suite’s project.properties file:

keystore.dname=CN=x, OU=x, O=x, C=x
keystore.location=x/
keystore.name=x
keystore.alias=x
keystore.password=x

Just replace x with the desired value.

Great! Can you translate that?

Ok, here’s a summary:

  1. Create a keystore with genkey task.

  1. Using the defined module list (${modules} this is defined by the IDE itself) go to all your modules and add the keystore location and alias information in its nbproject/private/platform-private.properties file.

  1. Call Netbeans build task so everything keeps going.

Enjoy!

If you get an warning about your plugins not being trusted (and you’re using self-signed certificates), you need to create and register your own implementation of org.netbeans.spi.autoupdate.KeyStoreProvider which provides access to a truststore into which your self-signed certificate has been imported as a trusted entry. In other words, the keystore (private key) is used at compile time to sign the NBM file, while the truststore (created by exporting the key from the keystore, then importing it into a new store to mark it trusted) is needed at runtime to validate the signature). All of this may not be necessary if you are signing with a certificate issued by a well-known CA.

Applies to: NetBeans 6.8 and above

How can I sign Maven based NBMs I create?

Yes. nbm-maven-plugin will sign your NBM files if you set keystore, alias and password parameters correctly.

Example

  1. Create a keystore (see the instructions above)

  1. Save the keystore file into a directory like nbproject/private. Make sure that it will not get committed to VCS like git/svn/hg! Or save it outside of the project. It depends on your preference.

  1. Update the nbm-maven-plugin-configuration in the pom.xml like this `

           <plugin>
               <groupId>org.codehaus.mojo</groupId>
               <artifactId>nbm-maven-plugin</artifactId>
               <version>3.11.1</version>
               <extensions>true</extensions>
               <configuration>
                   <!-- keep it for backwards compatibility to previous versions-->
                 <codeNameBase>com.johndoe.netbeans.myplugin</codeNameBase>
                   <author>JohnDoe (john.doe@mail.foo)</author>
                   <homePageUrl>https://github.com/johndoe/myplugin</homePageUrl>
                   <!-- keystore: only required, if you don't want to pass the path to the keystore file via cmdline-->
                   <keystore>nbproject/private/keystore</keystore>
                   <keystorealias>myself</keystorealias>
                   <licenseName>Apache 2.0</licenseName>
                   <licenseFile>LICENSE-2.0.txt</licenseFile>
               </configuration>
           </plugin>

` Update the codeNameBase, keystore and other properties to your needs.

More details about configuring the plugin can be found at the offical plugin page [2]

  1. Call mvn clean package nbm:nbm -Dkeystorepass=yourpassword to build a signed nbm.OR

Call mvn clean package nbm:nbm -Dkeystorepass=yourpassword -Dkeystore=/path/to/the/keystore.file, if you want to reference the keystore manually. For more options see [3]

How can I create a keystore file and sign Maven based NBMs within the build process?

See that example at https://github.com/born2snipe/netbean-plugin-parent/blob/master/pom.xml to generate a key file via the keytool-maven-plugin.

Resources