diff --git a/topics/basics/getting_started/publishing_plugin.md b/topics/basics/getting_started/publishing_plugin.md index c37e469ed..8fb6aded8 100644 --- a/topics/basics/getting_started/publishing_plugin.md +++ b/topics/basics/getting_started/publishing_plugin.md @@ -9,6 +9,9 @@ You can choose to publish it on the [JetBrains Plugins Repository](https://plugi > {type="tip"} +Before publishing your plugin, make sure it is signed. +For more details on generating a proper certificate and configuring the signing process, check the [Plugin Signing](plugin_signing.md) article. + ## Publishing to the JetBrains Plugins Repository To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetbrains.com), you must log in with your personal JetBrains Account. @@ -28,4 +31,4 @@ To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetb New versions can be uploaded on the plugin's detail page, see [Marketplace Docs](https://plugins.jetbrains.com/docs/marketplace/custom-release-channels.html) for details. ## Publishing a Plugin to a Custom Plugin Repository -If you plan to publish your plugin to a repository _other than_ the [JetBrains Plugins Repository](https://plugins.jetbrains.com), please refer to the [Publishing to Custom Plugin Repositories](update_plugins_format.md) documentation. \ No newline at end of file +If you plan to publish your plugin to a repository _other than_ the [JetBrains Plugins Repository](https://plugins.jetbrains.com), please refer to the [Publishing to Custom Plugin Repositories](update_plugins_format.md) documentation. diff --git a/topics/basics/plugin_signing.md b/topics/basics/plugin_signing.md index aab51fbfa..0b6a7ca0c 100644 --- a/topics/basics/plugin_signing.md +++ b/topics/basics/plugin_signing.md @@ -23,14 +23,16 @@ The plugin author's sign-verify process is as follows: - The JetBrains sign-verify process is as follows: - JetBrains CA is used as the source of truth here. - Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate. - - The private key of JetBrains CA is super-secret; in fact, we've already said too much. -- The intermediate certificate issues a certificate that will be used to sign plugins. - This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key. - The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited. - So now we have an AWS-based Intermediate CA. - The public part of the intermediate certificate will be added to the plugin file together with the signing certificate. -- The certificate used to sign plugins is stored securely, too. - JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files. + - The private key of JetBrains CA is super-secret; in fact, we've already said too much. + +The intermediate certificate issues a certificate that will be used to sign plugins. +This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key. +The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited. +So now we have an AWS-based Intermediate CA. +The public part of the intermediate certificate will be added to the plugin file together with the signing certificate. + +The certificate used to sign plugins is stored securely, too. +JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files. ## Signing Methods @@ -45,7 +47,11 @@ Both methods require a private certificate key to be already present. To generate an RSA `private.pem` private key, run the `openssl genpkey` command in the terminal, as below: ```bash -openssl genpkey -aes-256-cbc -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:4096 +openssl genpkey\ + -aes-256-cbc\ + -algorithm RSA\ + -out private.pem\ + -pkeyopt rsa_keygen_bits:4096 ``` At this point, the generated `private.key` content should be provided to the `signPlugin.privateKey` property. @@ -54,7 +60,12 @@ Provided password should be specified as the `signPlugin.password` property in t As a next step, we'll generate a `chain.crt` certificate chain with: ```bash -openssl req -key private.key -new -x509 -days 365 -out chain.crt +openssl req\ + -key private.key\ + -new\ + -x509\ + -days 365\ + -out chain.crt ``` The content of the `chain.crt` file will be used for the `signPlugin.certificateChain` property. @@ -193,7 +204,6 @@ java -jar zip-signer-cli.jar sign\ -key-pass "PRIVATE_KEY_PASSWORD" ``` - ## Signing for Custom Repositories Signing plugins hosted on a custom repository can be accomplished for added trust between the repository and installation. However, unlike Marketplace, the custom repository will not re-sign the plugin with the JetBrains key. Instead, a trusted private CA or self-signed certificate can be used to sign and validate plugins. diff --git a/topics/intro/content_updates.md b/topics/intro/content_updates.md index 27ed76662..71c6c1786 100644 --- a/topics/intro/content_updates.md +++ b/topics/intro/content_updates.md @@ -8,6 +8,11 @@ See [GitHub Changelog](https://github.com/JetBrains/intellij-sdk-docs/commits/ma ## 2021 +### July-21 + +Plugin Signing +: [Plugin Signing](plugin_signing.md) page describes the plugin signing process, explains how to generate a certificate, configure the Gradle `signPlugin` task, and introduces standalone CLI tool. + ### June-21 Testing FAQ diff --git a/topics/tutorials/build_system/deployment.md b/topics/tutorials/build_system/deployment.md index e1f91a939..25d0961ef 100644 --- a/topics/tutorials/build_system/deployment.md +++ b/topics/tutorials/build_system/deployment.md @@ -64,6 +64,13 @@ Note that also, in this case, you still need to put some default values in your The first step when deploying a plugin is to confirm that it works correctly. You may wish to verify this by [installing your plugin from disk](https://www.jetbrains.com/help/idea/managing-plugins.html) on a fresh instance of your target IDE(s). +### Signing a Plugin + +The Marketplace signing is designed to ensure that plugins are not modified over the course of the publishing and delivery pipeline. +In version `1.x`, the Gradle IntelliJ Plugin provides the `signPlugin` task, which will be executed automatically right before the `publishPlugin`. + +For more details on generating a proper certificate and configuring the `signPlugin` task, check the [Plugin Signing](plugin_signing.md) article. + ### Publishing a Plugin Once you are confident, the plugin works as intended, make sure the plugin version is updated, as the JetBrains Plugins Repository won't accept multiple artifacts with the same version.