Add plugin signing to plugin publishing

Situation

I received a newsletter from JetBrains: https://blog.jetbrains.com/platform/2021/09/busy-plugin-developers-newsletter-summer-2021/

which contains:

An important facet for the 2021.2 release cycle is the increased security in JetBrains Marketplace and our IDEs. To ensure that plugins are not modified over the course of the publishing and delivery pipeline, we introduced a signing mechanism to JetBrains Marketplace. This way, we can be sure that every plugin uploaded to the Marketplace is delivered to end-users untouched. The next step is to introduce additional signing by plugin authors to verify that no modifications were made during the publishing process. Learn more about how signing works.

The complete process is described at https://plugins.jetbrains.com/docs/intellij/plugin-signing.html

Impact

Before those changes, the signing was only done by JetBrains and developers DID NOT need to sign the jars by themself. In a matter of fact during the old upload process form plugin developer machine to JetBrains market place could be intercepted and manipulated - but... an attacker could also use their own self signed parts to sign again (so I do not see a real security advantage here...)

But ... maybe... this is also the reason for: https://github.com/Daimler/sechub-plugin-intellij/issues/17 where the import process did not start because of a class not found exception ?

We got:

IntelliJ Version: 2021.2 Ultimate Edition,
SecHub Plugin Version: 0.2.1

which is exact the IntelliJ Version mentioned inside the newsletter! So maybe Issue #17 could be done by just signing the jar before upload?

Solution

We change the deployment as described at the intellij web pages and sign the content by a private key on developer machine before uploading to JetBrains marketplace.

mercedes-benz / sechub-plugin-intellij