Integrate Google HSM and jarsigner to sign jar files

Question

This question is much similar to this one, but I will need help on how to implement this process.

Currently I have this Ant task to sign my jar files:

<target name="task.sign.jars">
    <signjar 
        alias="my-alias" 
        keystore="my-keystore.jks" 
        keypass="123456" 
        storepass="123456"
        tsaurl="http://timestamp.digicert.com"
        lazy="true">
        <path>
            <fileset dir="${deploy.dir}/jars/" includes="**/*.jar" />
        </path>
    </signjar>
</target>

The JKS file 'my-keystore.jks' was generated from old format of Code Sign EV certificate, that expired some days ago, and now, the new one is delivery to me by Google HSM platform.

So, what I have now here is a public key on a PEM file and an API access token to Google Cloud, and I need to know, including by examples, is how to integrate Google HSM (private key) and my PEM file to do the same (or similar) job as described above (on Ant snippet).

Answer 1

After many searches and contacting with maintainer of Jsign project, I reach to this solution:

Jsign provides a JCA provider that can be used with jarsigner to sign with a Google Cloud HSM key (disclaimer: Emmanuel Bourg).

The syntax looks like this:

jarsigner -J-cp -Jjsign-5.1-SNAPSHOT.jar -J--add-modules -Jjava.sql \
           -providerClass net.jsign.jca.JsignJcaProvider \
           -providerArg projects/first-rain-123/locations/global/keyRings/mykeyring \
           -keystore NONE \
           -storetype GOOGLECLOUD \
           -storepass <api-access-token> \
           -certchain certificate-chain.pem \
           application.jar <keyname>

PS: you must have gcloud cli installed and authenticated in your server.

This solution was provided by Emmanuel Bourg from JSign (thank you so much!).