This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Keystores may contain multiple entries. Along with allowing the user to enter the alias, they need to potentially be able to enter a password for that particular key. This raises a security issue: Open questions - Anki, please clarify. Do we: 1. Store the password in the clear in project.properties (will be shared in version control and can be read by anyone who checks the project out or gets its source code) 2. Store the password with breakable obfuscation in project.properties - i.e. base64 or something (will be shared in version control and can be read by anyone who checks the project out or gets its source code) 3. Store the password with strong encryption in project.properties - (will be shared in version control and can be read by anyone who checks the project out or gets its source code) -however, the private key will need to be embedded in NetBeans and available to Ant tasks, so this is just obfuscation - somebody who really wants to can find the key 4. Store the password in the clear in nbproject/private/private.properties (will NOT be shared in version control, but anyone who wants to build the project needs to get the password from someone else or change the keystore used). Someone with access to the machine w/ the password will be able to read the password. 5. Store the password with breakable obfuscation in nbproject/private/private.properties (will NOT be shared in version control, but anyone who wants to build the project needs to get the password from someone else or change the keystore used). Someone with access to the machine w/ the password will be able to copy the munged password.
There is a property "sign.bundle" which is set to true/false based on the checkbox selected in the security tab of project properties. ${keystore.resolved} contains the file selected. We need more information storepass : password for the keystore alias : alias (of the private key and certificate) name in the keystore passkey : password to read the info in the alias. How about the property names as following sign.storepass sign.alias sign.passkey I'll try to change the build script/ant tasks to use these properties. Note: A keystore can have more than one aliases. each is identified using a simple string. And each alias is protected by a password. Think that keystore file is a database of aliases. There will be a password for the keysotre itself and another password for each alias. The UI should accpet this information. Nice to have: We can populate all aliases from a keystore and use a dropdown box to select one. To populate the aliases storepassword needs to be entered and then we need to refresh the list.
To store the password I go with the option 4 or 5. May be 4 seems to be easy enough. BASE64 is not a strong protective thing anyway. No point to get ourself doing encoding/decoding int ant build or somewhere. And this kind of signing is only for RI.
Fixed in changeset 250b7f20de16 - build-script support (issue 171017 pending).
Integrated into 'main-golden', will be available in build *200908311509* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/250b7f20de16 User: Tim Boudreau <tboudreau@netbeans.org> Log: #170647, #170650, #170652 - project properties support for keystore alias and master/alias password. Build script support pending.