diff --git a/topics/basics/plugin_signing.md b/topics/basics/plugin_signing.md index b98af4f94..c5b19a988 100644 --- a/topics/basics/plugin_signing.md +++ b/topics/basics/plugin_signing.md @@ -23,13 +23,13 @@ The plugin author's sign-verify process is as follows: - The JetBrains sign-verify process is as follows: - JetBrains CA is used as the source of truth here. - Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate. - - The private key of JetBrains CA is super-secret; in fact, we've already said too much. + - The private key of JetBrains CA is super-secret; in fact, we've already said too much. The intermediate certificate issues a certificate that will be used to sign plugins. This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key. The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited. So now we have an AWS-based Intermediate CA. -The public part of the intermediate certificate will be added to the plugin file together with the signing certificate. +The public part of the intermediate certificate will be added to the plugin file together with the signing certificate. The certificate used to sign plugins is stored securely, too. JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files. @@ -44,7 +44,7 @@ Both methods require a private certificate key to be already present. ### Generate Private Key -To generate an RSA `private.pem` private key, run the `openssl genpkey` command in the terminal, as below: +To generate an RSA private.pem private key, run the `openssl genpkey` command in the terminal, as below: ```bash openssl genpkey\ @@ -54,10 +54,10 @@ openssl genpkey\ -pkeyopt rsa_keygen_bits:4096 ``` -At this point, the generated `private.pem` content should be provided to the `signPlugin.privateKey` property. +At this point, the generated private.pem content should be provided to the `signPlugin.privateKey` property. Provided password should be specified as the `signPlugin.password` property in the `signPlugin` configuration. -As a next step, we'll generate a `chain.crt` certificate chain with: +As a next step, we'll generate a chain.crt certificate chain with: ```bash openssl req\ @@ -68,7 +68,7 @@ openssl req\ -out chain.crt ``` -The content of the `chain.crt` file will be used for the `signPlugin.certificateChain` property. +The content of the chain.crt file will be used for the `signPlugin.certificateChain` property. ### Gradle IntelliJ Plugin @@ -184,7 +184,7 @@ publishPlugin { -In the _Run/Debug Configuration_ for `publishPlugin` Gradle task, provide _Environment Variables_ using relevant environment variable names: +In the Run/Debug Configuration for `publishPlugin` Gradle task, provide Environment Variables using relevant environment variable names: ![Run/Debug Configuration Environment Variables](plugin_singing_env_variables.png) @@ -193,7 +193,7 @@ In the _Run/Debug Configuration_ for `publishPlugin` Gradle task, provide _Envir CLI tool is required if you don't rely on the Gradle IntelliJ Plugin – i.e. when working with Themes. To get the latest Marketplace ZIP Signer CLI Tool, visit the [JetBrains/marketplace-zip-signer](https://github.com/JetBrains/marketplace-zip-signer/releases) GitHub Releases page. -After downloading the `zip-signer-cli.jar`, execute it as below: +After downloading the zip-signer-cli.jar, execute it as below: ```bash java -jar zip-signer-cli.jar sign\