hxuanyu/intellij-sdk-code-samples
1
0
Fork 0
mirror of https://github.com/JetBrains/intellij-sdk-code-samples.git synced 2025-07-28 01:07:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Plugin Signing cross-links

Browse Source
This commit is contained in:
Jakub Chrzanowski 2021-07-26 11:51:37 +02:00
parent 13882d6add
commit 1f9026d054
No known key found for this signature in database
GPG Key ID: C39095BFD769862E
4 changed files with 37 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
topics/basics/getting_started/publishing_plugin.md
View File

@ -9,6 +9,9 @@ You can choose to publish it on the [JetBrains Plugins Repository](https://plugi
>
{type="tip"}
Before publishing your plugin, make sure it is signed.
For more details on generating a proper certificate and configuring the signing process, check the [Plugin Signing](plugin_signing.md) article.
## Publishing to the JetBrains Plugins Repository
To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetbrains.com), you must log in with your personal JetBrains Account.

20
topics/basics/plugin_signing.md
View File

@ -24,12 +24,14 @@ The plugin author's sign-verify process is as follows:
- JetBrains CA is used as the source of truth here.
- Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate.
- The private key of JetBrains CA is super-secret; in fact, we've already said too much.
- The intermediate certificate issues a certificate that will be used to sign plugins.
The intermediate certificate issues a certificate that will be used to sign plugins.
This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key.
The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited.
So now we have an AWS-based Intermediate CA.
The public part of the intermediate certificate will be added to the plugin file together with the signing certificate.
- The certificate used to sign plugins is stored securely, too.
The certificate used to sign plugins is stored securely, too.
JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
## Signing Methods
@ -45,7 +47,11 @@ Both methods require a private certificate key to be already present.
To generate an RSA `private.pem` private key, run the `openssl genpkey` command in the terminal, as below:
```bash
openssl genpkey -aes-256-cbc -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:4096
openssl genpkey\
-aes-256-cbc\
-algorithm RSA\
-out private.pem\
-pkeyopt rsa_keygen_bits:4096
```
At this point, the generated `private.key` content should be provided to the `signPlugin.privateKey` property.
@ -54,7 +60,12 @@ Provided password should be specified as the `signPlugin.password` property in t
As a next step, we'll generate a `chain.crt` certificate chain with:
```bash
openssl req -key private.key -new -x509 -days 365 -out chain.crt
openssl req\
-key private.key\
-new\
-x509\
-days 365\
-out chain.crt
```
The content of the `chain.crt` file will be used for the `signPlugin.certificateChain` property.
@ -193,7 +204,6 @@ java -jar zip-signer-cli.jar sign\
-key-pass "PRIVATE_KEY_PASSWORD"
```
## Signing for Custom Repositories
Signing plugins hosted on a custom repository can be accomplished for added trust between the repository and installation. However, unlike Marketplace, the custom repository will not re-sign the plugin with the JetBrains key. Instead, a trusted private CA or self-signed certificate can be used to sign and validate plugins.

5
topics/intro/content_updates.md
View File

@ -8,6 +8,11 @@ See [GitHub Changelog](https://github.com/JetBrains/intellij-sdk-docs/commits/ma
## 2021
### July-21
Plugin Signing
: [Plugin Signing](plugin_signing.md) page describes the plugin signing process, explains how to generate a certificate, configure the Gradle `signPlugin` task, and introduces standalone CLI tool.
### June-21
Testing FAQ

7
topics/tutorials/build_system/deployment.md
View File

@ -64,6 +64,13 @@ Note that also, in this case, you still need to put some default values in your
The first step when deploying a plugin is to confirm that it works correctly.
You may wish to verify this by [installing your plugin from disk](https://www.jetbrains.com/help/idea/managing-plugins.html) on a fresh instance of your target IDE(s).
### Signing a Plugin
The Marketplace signing is designed to ensure that plugins are not modified over the course of the publishing and delivery pipeline.
In version `1.x`, the Gradle IntelliJ Plugin provides the `signPlugin` task, which will be executed automatically right before the `publishPlugin`.
For more details on generating a proper certificate and configuring the `signPlugin` task, check the [Plugin Signing](plugin_signing.md) article.
### Publishing a Plugin
Once you are confident, the plugin works as intended, make sure the plugin version is updated, as the JetBrains Plugins Repository won't accept multiple artifacts with the same version.