hxuanyu/intellij-sdk-code-samples
1
0
Fork 0
mirror of https://github.com/JetBrains/intellij-sdk-code-samples.git synced 2025-07-28 01:07:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Plugin Signing cross-links

Browse Source
This commit is contained in:
Jakub Chrzanowski 2021-07-26 11:51:37 +02:00
parent 13882d6add
commit 1f9026d054
No known key found for this signature in database
GPG Key ID: C39095BFD769862E
4 changed files with 37 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
topics/basics/getting_started/publishing_plugin.md
View File

@ -9,6 +9,9 @@ You can choose to publish it on the [JetBrains Plugins Repository](https://plugi
>
{type="tip"}
Before publishing your plugin, make sure it is signed.
For more details on generating a proper certificate and configuring the signing process, check the [Plugin Signing](plugin_signing.md) article.
## Publishing to the JetBrains Plugins Repository
To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetbrains.com), you must log in with your personal JetBrains Account.

30
topics/basics/plugin_signing.md
View File

@ -24,13 +24,15 @@ The plugin author's sign-verify process is as follows:
- JetBrains CA is used as the source of truth here.
- Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate.
- The private key of JetBrains CA is super-secret; in fact, we've already said too much.
- The intermediate certificate issues a certificate that will be used to sign plugins.
This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key.
The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited.
So now we have an AWS-based Intermediate CA.
The public part of the intermediate certificate will be added to the plugin file together with the signing certificate.
- The certificate used to sign plugins is stored securely, too.
JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
The intermediate certificate issues a certificate that will be used to sign plugins.
This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key.
The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited.
So now we have an AWS-based Intermediate CA.
The public part of the intermediate certificate will be added to the plugin file together with the signing certificate.
The certificate used to sign plugins is stored securely, too.
JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
## Signing Methods
@ -45,7 +47,11 @@ Both methods require a private certificate key to be already present.
To generate an RSA `private.pem` private key, run the `openssl genpkey` command in the terminal, as below:
```bash
openssl genpkey -aes-256-cbc -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:4096
openssl genpkey\
-aes-256-cbc\
-algorithm RSA\
-out private.pem\
-pkeyopt rsa_keygen_bits:4096
```
At this point, the generated `private.key` content should be provided to the `signPlugin.privateKey` property.
@ -54,7 +60,12 @@ Provided password should be specified as the `signPlugin.password` property in t
As a next step, we'll generate a `chain.crt` certificate chain with:
```bash
openssl req -key private.key -new -x509 -days 365 -out chain.crt
openssl req\
-key private.key\
-new\
-x509\
-days 365\
-out chain.crt
```
The content of the `chain.crt` file will be used for the `signPlugin.certificateChain` property.
@ -193,7 +204,6 @@ java -jar zip-signer-cli.jar sign\
-key-pass "PRIVATE_KEY_PASSWORD"
```
## Signing for Custom Repositories
Signing plugins hosted on a custom repository can be accomplished for added trust between the repository and installation. However, unlike Marketplace, the custom repository will not re-sign the plugin with the JetBrains key. Instead, a trusted private CA or self-signed certificate can be used to sign and validate plugins.

5
topics/intro/content_updates.md
View File

@ -8,6 +8,11 @@ See [GitHub Changelog](https://github.com/JetBrains/intellij-sdk-docs/commits/ma
## 2021
### July-21
Plugin Signing
: [Plugin Signing](plugin_signing.md) page describes the plugin signing process, explains how to generate a certificate, configure the Gradle `signPlugin` task, and introduces standalone CLI tool.
### June-21
Testing FAQ

7
topics/tutorials/build_system/deployment.md
View File

@ -64,6 +64,13 @@ Note that also, in this case, you still need to put some default values in your
The first step when deploying a plugin is to confirm that it works correctly.
You may wish to verify this by [installing your plugin from disk](https://www.jetbrains.com/help/idea/managing-plugins.html) on a fresh instance of your target IDE(s).
### Signing a Plugin
The Marketplace signing is designed to ensure that plugins are not modified over the course of the publishing and delivery pipeline.
In version `1.x`, the Gradle IntelliJ Plugin provides the `signPlugin` task, which will be executed automatically right before the `publishPlugin`.
For more details on generating a proper certificate and configuring the `signPlugin` task, check the [Plugin Signing](plugin_signing.md) article.
### Publishing a Plugin
Once you are confident, the plugin works as intended, make sure the plugin version is updated, as the JetBrains Plugins Repository won't accept multiple artifacts with the same version.