Hardware token signing

[Perneel]

I was wondering if it is possible to sign jars with a hardware token. Since February 2017, GlobalSign only issues CodeSigning certificates with an eToken (USB). According to GlobalSign's website, the command for signing a jar with an eToken is as following (full article):

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"

Is it possible to set the tsa, providerClass en providerArg in the configuration? Something like this:

    <configuration>
	<mainClass>myApp.ui.MainApp</mainClass>
	<verbose>true</verbose>
	<allPermissions>true</allPermissions>
        <j2seVersion>1.8+</j2seVersion>

        //SIGNING PART
	<keyStore>NONE</keyStore>
        <keyStoreType>PKCS11</keyStoreType>
        <keyStorePassword>changeit</keyStorePassword>
        <tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa> //<--
        <providerClass>sun.security.pkcs11.SunPKCS11</providerClass> //<--
        <providerArg>eToken.cfg</providerArg> //<--
	<keyStoreAlias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</keyStoreAlias> //is this correct?
	
    </configuration>

[FibreFoX]

Hi @Perneel , thanks for that question. This is actually an interesting topic. The original javapackager uses something called "BLOB Signing", which gets dropped with JDK9 (and never got grip in the ecosystem). I have added the jarsigner-option later, and it requires a keystore, but the command required to sign the code uses NONE as keystore.

I already have an idea how to provide this feature, but currently this is not (yet) supported. Will tinker with a solution and I'm going to report back to you as soon as possible. You might be required to check with a SNAPSHOT-version, so please make sure you know how to access these versions.

[Perneel]

Ok, thank you for the fast response!

[FibreFoX]

Hi there,

took me a bit to find all configuration-parts, but this should work with a fresh 8.8.4-SNAPSHOT-version.

<configuration>
    <mainClass>myApp.ui.MainApp</mainClass>
    <verbose>true</verbose>
    <j2seVersion>1.8+</j2seVersion>

    <!-- this only sets the field inside jar-file -->
    <allPermissions>true</allPermissions>

    <!-- this makes the JNLP-file having permissions being set -->
    <!-- AND it is the trigger for signing jar-files using jarsigner -->
    <bundleArguments>
        <jnlp.allPermissions>true</jnlp.allPermissions>
    </bundleArguments>

    <!-- this setting is required for the new "jarsigner"-feature -->
    <noBlobSigning>true<noBlobSigning>

    <!-- these are required, please change them for your own requirements -->
    <keyStoreAlias>myalias</keyStoreAlias>
    <keyStorePassword>password</keyStorePassword>

    <!-- as this keystore is no file, please disable file-checks -->
    <skipKeyStoreChecking>true</skipKeyStoreChecking>

    <!-- this is used for additional parameters for the jarsigner command -->
    <additionalJarsignerParameters>
        <additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
        <additionalJarsignerParameter>NONE</additionalJarsignerParameter>
        <additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
        <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
        <additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
        <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
        <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
        <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
        <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
        <additionalJarsignerParameter>eToken.cfg</additionalJarsignerParameter>
        <!-- I DO KNOW that this is verbose ... -->
    </additionalJarsignerParameters>

    <keyStoreAlias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</keyStoreAlias>
</configuration>

As far as I understood the article you have linked, the eToken.cfg-file should be stored in the same folder as the pom.xml, but I never had to work with jarsigner in that way.

Can you try with the current snapshot and configuration above, and report back?

[Perneel]

Ok I'll give it a shot, I think the last row keyStoreAlias should be removed? As it is already configured above as myalias?

[FibreFoX]

Oh, my bad ;) only ONE keyStoreAlias is needed, correct! I created that configuration-block too hasty

[Perneel]

Just tried it out, got the following failure:

--- javafx-maven-plugin:8.8.4-SNAPSHOT:build-jar (create-jfxjar) @ CL_AppM ---
Building JavaFX JAR for application
Adding 'deploy' directory to Mojo classpath: D:\NetBeansProjects\App-M\maven\CL_AppM/src/main/deploy

--- javafx-maven-plugin:8.8.4-SNAPSHOT:build-web (create-web) @ CL_AppM ---
Please not that this MOJO will get removed with the next release!
You should upgrade to jnlp-bundler.
Building Web deployment bundles
Adding 'deploy' directory to Mojo classpath: D:\NetBeansProjects\App-M\maven\CL_AppM/src/main/deploy
No base JDK. Package will use system JRE.
No base JDK. Package will use system JRE.
Permissions requested, signing JAR files for webstart bundle
------------------------------------------------------------------------
BUILD FAILURE
------------------------------------------------------------------------
Total time: 1:39.678s
Finished at: Tue May 02 18:37:48 CEST 2017
Final Memory: 33M/439M
------------------------------------------------------------------------
Failed to execute goal com.zenjava:javafx-maven-plugin:8.8.4-SNAPSHOT:build-web (create-web) on project CL_AppM: Keystore does not exist, use 'jfx:generate-key-store' command to make one (expected at: D:\NetBeansProjects\App-M\maven\CL_AppM\src\main\deploy\keystore.jks) -> [Help 1]

To see the full stack trace of the errors, re-run Maven with the -e switch.
Re-run Maven using the -X switch to enable full debug logging.

For more information about the errors and possible solutions, please read the following articles:
[Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Looks like it is still checking for a keystore even though skipKeyStoreChecking is set to true?

[FibreFoX]

Oh, there is the problem, please use the build-native-goal, the old build-web bundler is deprecated in favor of the newer "jnlp"-bundler. ;) this is even mentioned in the output.

To generate with the new bundler, please set <bundler>jnlp</bundler> and use build-native as goal.

[FibreFoX]

Additional note: the result is created in the folder target/jfx/native, to change it back, you just have to set <nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir>

[Perneel]

Sorry, my bad. It's been a long day :) I got a BUILD SUCCESS now, however, if I check with jarsigner -verify, it let's me know that the jar is unsigned.

Probably doing something wrong again... :)

--- javafx-maven-plugin:8.8.4-SNAPSHOT:build-jar (create-jfxjar) @ CL_AppM ---
Building JavaFX JAR for application
Adding 'deploy' directory to Mojo classpath: D:\NetBeansProjects\App-M\maven\CL_AppM/src/main/deploy

--- javafx-maven-plugin:8.8.4-SNAPSHOT:build-native (jnlp-bundler) @ CL_AppM ---
Building Native Installers
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\CL_AppM-0.9.8-jfx.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\aopalliance-repackaged-2.4.0-b34.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-beanutils-1.8.0.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-codec-1.10.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-collections-3.2.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-collections4-4.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-httpclient-3.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-io-1.3.2.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-lang-2.5.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\commons-logging-1.2.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\core-1.2.8.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\ezmorph-1.0.6.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\hamcrest-core-1.3.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\hk2-api-2.4.0-b34.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\hk2-locator-2.4.0-b34.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\hk2-utils-2.4.0-b34.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\httpclient-4.5.2.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\httpcore-4.4.4.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\httpmime-4.2.5.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-annotations-2.8.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-core-2.8.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-databind-2.8.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-datatype-jsr310-2.8.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-jaxrs-base-2.5.4.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-jaxrs-json-provider-2.5.4.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jackson-module-jaxb-annotations-2.5.4.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\javassist-3.18.1-GA.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\javax.annotation-api-1.2.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\javax.inject-2.4.0-b34.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\javax.ws.rs-api-2.0.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-client-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-common-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-entity-filtering-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-guava-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-media-jaxb-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jersey-media-json-jackson-2.23.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jira-client-0.5.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\joda-time-2.3.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\json-lib-2.4-jdk15.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\jsoup-1.8.3.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\junit-4.12.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\log4j-api-2.6.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\log4j-core-2.6.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\mockito-all-1.9.0.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\osgi-resource-locator-1.0.1.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\poi-3.15.jar file to application resources.
Add D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\app\lib\preloader-1.3.0.jar file to application resources.
The jar lib\core-1.2.8.jar has a main class Appm.core_Appm.MainApp that does not match the declared main App_m.ui.MainApp
Running [C:\Program Files\Java\jdk1.8.0_121\jre\bin\java, -version]
Creating app bundle: CL_AppM-0.9.8 in D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\native
  Using default package resource [application icon]  (add package/windows/CL_AppM-0.9.8.ico to the class path to customize)
Running [C:\Users\Steven\AppData\Local\Temp\iconswap349803052956321475.exe, C:\Users\Steven\AppData\Local\Temp\fxbundler1302590128170426417\windows\CL_AppM-0.9.8.ico, D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\native\CL_AppM-0.9.8\CL_AppM-0.9.8.exe]
Icon File Name: C:\Users\Steven\AppData\Local\Temp\fxbundler1302590128170426417\windows\CL_AppM-0.9.8.ico
Executable File Name: D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\native\CL_AppM-0.9.8\CL_AppM-0.9.8.exe
Result application bundle: D:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\native
  Config files are saved to C:\Users\Steven\AppData\Local\Temp\fxbundler1302590128170426417\windows. Use them to customize package.
The jar lib\core-1.2.8.jar has a main class Appm.core_Appm.MainApp that does not match the declared main App_m.ui.MainApp
Running [C:\Program Files\Java\jdk1.8.0_121\jre\bin\java, -version]
Detected [iscc.exe] version 0 but version 5 is required.
Skipping 'EXE Installer' because of configuration error 'Can not find Inno Setup Compiler (iscc.exe).'
Advice to fix:   Download Inno Setup 5 or later from http://www.jrsoftware.org and add it to the PATH.
The jar lib\core-1.2.8.jar has a main class Appm.core_Appm.MainApp that does not match the declared main App_m.ui.MainApp
Running [C:\Program Files\Java\jdk1.8.0_121\jre\bin\java, -version]
Detected [candle.exe] version 0 but version 3 is required.
Detected [light.exe] version 0 but version 3 is required.
Skipping 'MSI Installer' because of configuration error 'Can not find WiX tools (light.exe, candle.exe).'
Advice to fix:   Download WiX 3.0 or later from http://wix.sf.net and add it to the PATH.
Skipping 'WebStart JNLP Bundler' because of configuration error 'No OutFile Specificed'
Advice to fix: Please specify the name of the JNLP Outut file in 'jnlp.outfile'

--- maven-install-plugin:2.3.1:install (default-install) @ CL_AppM ---
Installing D:\NetBeansProjects\App-M\maven\CL_AppM\target\CL_AppM-0.9.8.jar to C:\Users\Steven\.m2\repository\App-M\CL_AppM\0.9.8\CL_AppM-0.9.8.jar
Installing D:\NetBeansProjects\App-M\maven\CL_AppM\pom.xml to C:\Users\Steven\.m2\repository\App-M\CL_AppM\0.9.8\CL_AppM-0.9.8.pom
------------------------------------------------------------------------
BUILD SUCCESS
------------------------------------------------------------------------
Total time: 1:52.696s
Finished at: Tue May 02 19:22:29 CEST 2017
Final Memory: 34M/436M
------------------------------------------------------------------------ 

[Perneel]

ah maybe my bad in the short explanation. With the previous keystore (before the hardware key), I signed all jars (so including dependencies) and created a JNLP file to launch the application.

[FibreFoX]

I missed another stupid thing, which even is printed in the log:

Advice to fix: Please specify the name of the JNLP Outut file in 'jnlp.outfile'

Please try with this revised version of the configuration:

<configuration>
    <mainClass>myApp.ui.MainApp</mainClass>
    <verbose>true</verbose>
    <j2seVersion>1.8+</j2seVersion>

    <!-- this only sets the field inside jar-file -->
    <allPermissions>true</allPermissions>

    <!-- this makes the JNLP-file having permissions being set -->
    <!-- AND it is the trigger for signing jar-files using jarsigner -->
    <bundleArguments>
        <jnlp.allPermissions>true</jnlp.allPermissions>

        <!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
        <jnlp.outfile>YourApplication</jnlp.outfile>
    </bundleArguments>

    <!-- this setting is required for the new "jarsigner"-feature -->
    <noBlobSigning>true<noBlobSigning>

    <!-- these are required, please change them for your own requirements -->
    <keyStoreAlias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</keyStoreAlias>
    <keyStorePassword>password</keyStorePassword>

    <!-- as this keystore is no file, please disable file-checks -->
    <skipKeyStoreChecking>true</skipKeyStoreChecking>

    <!-- this is used for additional parameters for the jarsigner command -->
    <additionalJarsignerParameters>
        <additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
        <additionalJarsignerParameter>NONE</additionalJarsignerParameter>
        <additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
        <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
        <additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
        <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
        <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
        <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
        <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
        <additionalJarsignerParameter>eToken.cfg</additionalJarsignerParameter>
        <!-- I DO KNOW that this is verbose ... -->
    </additionalJarsignerParameters>
</configuration>

[FibreFoX]

Sometimes it is better to add the plugin-block for debugging, I never would have guessed you are using build-web when I haven't got some log ;)

[Perneel]

just tried, yet the jar in /target/jfx/native/ is still unsigned according to jarsigner... am I doing something bad? :)

[FibreFoX]

@Perneel can you try to create some small project including some anonymized configuration inside the pom.xml for me to check? You can use an empty mainClass (which does extend javafx.application.Application), because this is an configuration issue (probably).

[Perneel]

not sure if it's possible without the hardware key? :p

I can post the plugin configuration thou if you want?

[FibreFoX]

All I need is the plugin-part of the javafx-maven-plugin, there might be some issue with the plugin-configuration within the executions. Oh, as this is visible for PUBLIC, please make sure to anonymise all critical data. No need for a full compilable project ;)

[Perneel]

There you go! :)

	<plugin>
                    <groupId>com.zenjava</groupId>
                    <artifactId>javafx-maven-plugin</artifactId>
                    <version>8.8.4-SNAPSHOT</version>
                    <configuration>
                        <mainClass>App_m.ui.MainApp</mainClass>
                        <description>test signing</description>
                        <title>launch</title>
                        <verbose>true</verbose>
                        <j2seVersion>1.8+</j2seVersion>

                        <!-- this only sets the field inside jar-file -->
                        <allPermissions>true</allPermissions>

                        <!-- this makes the JNLP-file having permissions being set -->
                        <!-- AND it is the trigger for signing jar-files using jarsigner -->
                        <bundleArguments>
                            <jnlp.allPermissions>true</jnlp.allPermissions>
                            
                            <!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
                            <jnlp.outfile>YourApplication</jnlp.outfile>
                        </bundleArguments>

                        <!-- this setting is required for the new "jarsigner"-feature -->
                        <noBlobSigning>true</noBlobSigning>

                        <!-- these are required, please change them for your own requirements -->
                        <keyStoreAlias>myalias</keyStoreAlias>
                        <keyStorePassword>mypass</keyStorePassword>

                        <!-- as this keystore is no file, please disable file-checks -->
                        <skipKeyStoreChecking>true</skipKeyStoreChecking>

                        <!-- this is used for additional parameters for the jarsigner command -->
                        <additionalJarsignerParameters>
                            <additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
                            <additionalJarsignerParameter>NONE</additionalJarsignerParameter>
                            <additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
                            <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
                            <additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
                            <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
                            <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
                            <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
                            <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
                            <additionalJarsignerParameter>D:\NetBeansProjects\App-M\maven\CL_AppM\src\main\resources\token\eToken.config</additionalJarsignerParameter>
                            <!-- I DO KNOW that this is verbose ... -->
                        </additionalJarsignerParameters>
                    </configuration>
                    <executions>
                        <execution>
                            <!-- required before build-web -->
                            <id>create-jfxjar</id>
                            <phase>package</phase>
                            <goals>
                                <goal>build-jar</goal>
                            </goals>
                        </execution>
                        <execution>
                            <id>jnlp-bundler</id>
                            <phase>package</phase>
                            <goals>
                                <goal>build-native</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>

[FibreFoX]

Can you try this configuration by calling mvn clean package?

<plugin>
    <groupId>com.zenjava</groupId>
    <artifactId>javafx-maven-plugin</artifactId>
    <version>8.8.4-SNAPSHOT</version>
    <!-- this configuration is share among all executions -->
    <configuration>
        <mainClass>App_m.ui.MainApp</mainClass>
        <description>test signing</description>
        <title>launch</title>
        <verbose>true</verbose>
        <j2seVersion>1.8+</j2seVersion>

        <!-- this only sets the field inside jar-file -->
        <allPermissions>true</allPermissions>
    </configuration>
    <executions>
        <execution>
            <!-- required before build-native, creates target/jfx/app -->
            <id>create-jfxjar</id>
            <phase>package</phase>
            <goals>
                <goal>build-jar</goal>
            </goals>
        </execution>
        <execution>
            <!-- creates target/jfx/web -->
            <id>create-jnlp-bundle</id>
            <phase>package</phase>
            <goals>
                <goal>build-native</goal>
            </goals>
            <!-- this configuration is only specific to this execution -->
            <configuration>
                <!-- as we only want to create the JNLP-package, use fixed bundler-ID -->
                <bundler>jnlp<bundler>

                <!-- this makes the JNLP-file having permissions being set -->
                <!-- AND it is the trigger for signing jar-files using jarsigner -->
                <bundleArguments>
                    <jnlp.allPermissions>true</jnlp.allPermissions>

                    <!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
                    <jnlp.outfile>CL_AppM</jnlp.outfile>
                </bundleArguments>

                <!-- this setting is required for the new "jarsigner"-feature -->
                <noBlobSigning>true</noBlobSigning>

                <!-- these are required, please change them for your own requirements -->
                <keyStoreAlias>myalias</keyStoreAlias>
                <keyStorePassword>mypass</keyStorePassword>

                <!-- as this keystore is no file, please disable file-checks -->
                <skipKeyStoreChecking>true</skipKeyStoreChecking>

                <!-- this is used for additional parameters for the jarsigner command -->
                <additionalJarsignerParameters>
                    <additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
                    <additionalJarsignerParameter>NONE</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
                    <additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
                    <additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
                    <additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
                    <additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
                    <additionalJarsignerParameter>src/main/resources/token/eToken.config</additionalJarsignerParameter>
                    <!-- I DO KNOW that this is verbose ... -->
                </additionalJarsignerParameters>
                <nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir>
            </configuration>
        </execution>
    </executions>
</plugin>

[FibreFoX]

Please note that this will create your jnlp- and jar-files below target/jfx/web

[Perneel]

Still unsigned it says :(

C:\Program Files\Java\jdk1.8.0_121\bin>jarsigner.exe -verify d:\NetBeansProjects\App-M\maven\CL_AppM\target\jfx\web\CL_AppM-0.9.8-jfx.jar

jar is unsigned.

[FibreFoX]

Can you see the jarsigner being called somewhere in the build-log?

[Perneel]

Nothing in the build-log no...

[FibreFoX]

Just to confirm: you don't see Signing JAR files for jnlp bundle using jarsigner-method inside your build-log?

[Perneel]

That is correct

[FibreFoX]

that is more than strange ... will take a deeper look into this :(

[Perneel]

A solution, I think, would be to comment out keyStorePassword and add storepass as an additionalJarsignerParameter, but that is not possible as keyStorePassword is required :)

[FibreFoX]

I wasn't aware that this storetype requires keypass to be removed, will think about it ;) but we are a step further this time.

[FibreFoX]

@Perneel
I have updated the SNAPSHOT-version, can you retry using mvn clean package -U

You need to add <skipKeypassWhileSigning>true</skipKeypassWhileSigning> to your configuration-block for the build-native goal.

It seems that both storepass and keypass are set with the <keyStorePassword>?

Thats kinda true, but it has a nice fallback: https://github.com/javafx-maven-plugin/javafx-maven-plugin/blob/master/src/main/java/com/zenjava/javafx/maven/plugin/NativeMojo.java#L1015

[Perneel]

jar verified! :)

I'll try to put it online and see if it runs. I got to say that EV Code signing (so with that hardware token) is very slow... took me like 44 minutes :s

[FibreFoX]

Thats great news 👍 when you got this verified, I will prepare a new release of the javafx-maven-plugin (but might take some while)

[Perneel]

I had contact with GlobalSign about the slow signing but they didn't really know what would cause it. Gonna try to put my project folder on the same drive from where I'm starting the building process. Maybe that will speed up some things. Tonight I'll upload the built project, I'll let you know how it went :)

[Perneel]

Seems the certificate is successfully installed. I can start the application through webstart (jnlp file) and it's showing the correct certificate.

The program itself won't run yet due to missing manifest things but that's caused by my lack of knowledge and is another 'issue' :) Is there a way to modify the manifest with this plugin?

 Caused by: java.lang.SecurityException: JAR manifest requested to run in sandbox only

[Perneel]

Got it working, awesome job, awesome project :) keep it up!

PS: I had a question on stackoverflow about this with a bounty, feel free to answer there as well: http://stackoverflow.com/questions/43594938/maven-jnlp-creation-with-ev-code-signing

[FibreFoX]

:) good to hear, I hope to get this released next week until then I will hold this issue open. But please check if my copy-pasted configuration really is correct :D

[Perneel]

Looks ok ;)

[Perneel]

Hm did something change at the 8.8.4-SNAPSHOT? For some reason the signing broke again:

Signing jar-files referenced inside generated JNLP-files.
Signing jar-files using jarsigner.
Skipped checking if keystore exists. 
Fixing sizes of JAR files within JNLP-files

However, no signing takes place :(

[FibreFoX]

Nope, did not change anything. Maybe you want to call mvn clean package -U, where -U updates to current available SNAPSHOT-version, maybe your local repository is messed up with a previous version.

[Perneel]

Hm recreated the profile and now it's working again... I probably fucked something up :D

[FibreFoX]

At least it still works ;)

Will hold this issue open, as this is not yet released.

Note to myself: create some new labels, milestones and other stuff

[Perneel]

Yea was my bad, pressed 'Close and comment' instead of Comment... sorry :)

[FibreFoX]

Not yet published, might take some while as I'm starting to change something bigger here. In the meantime please just use the -SNAPSHOT-version