Plugin Signing is a mechanism introduced in the 2021.2 release cycle to increase security in JetBrains Marketplace and all of our IntelliJ-based IDEs.
The Marketplace signing is designed to ensure that plugins are not modified over the course of the publishing and delivery pipeline. If the author does not sign the plugin or has a revoked certificate, a warning dialog will appear in the IDE during installation.
On our side, we will check if the public part of a key is present, and we will verify the signature. This is similar to the Google upload key mechanism.
How Signing Works
To be sure a file has not been modified, the file will be signed twice – first by the plugin author, then by JetBrains Marketplace.
The plugin author's sign-verify process is as follows:
A plugin author generates a key pair and uploads the public part to JetBrains Marketplace (this feature is not yet available).
A build tool signs a plugin file during the assembly process.
The user uploads the plugin file to JetBrains Marketplace.
JetBrains Marketplace checks if the public key is present in the user profile.
JetBrains Marketplace verifies the signature.
The JetBrains sign-verify process is as follows:
JetBrains CA is used as the source of truth here.
Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate.
The private key of JetBrains CA is super-secret; in fact, we've already said too much.
The intermediate certificate issues a certificate that will be used to sign plugins. This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key. The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited. So now we have an AWS-based Intermediate CA. The public part of the intermediate certificate will be added to the plugin file together with the signing certificate.
The certificate used to sign plugins is stored securely, too. JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
To provide a suitable method for plugin signing, we have introduced the Marketplace ZIP Signer library. It can be executed using the
signPlugin task provided by the Gradle IntelliJ Plugin if your project is Gradle-based. Alternatively, it can be used standalone CLI Tool.
Both methods require a private certificate key to be already present.
Generate Private Key
To generate an RSA private.pem private key, run the
openssl genpkey command in the terminal, as below:
After that, it's required to convert it into the RSA form with:
At this point, the generated private.pem content should be provided to the
signPlugin.privateKey property. Provided password should be specified as the
signPlugin.password property in the
As a next step, we will generate a chain.crt certificate chain with:
The content of the chain.crt file will be used for the
Gradle IntelliJ Plugin
1.x, the Gradle IntelliJ Plugin provides the
signPlugin task, which will be executed automatically right before the
publishPlugin task when
signPlugin.privateKey signing properties are specified. Otherwise, it'll be skipped.
signPlugin task configuration may look like:
Instead of using the
signPlugin.certificateChain properties which expect providing the key and certificate chain content directly, it's also possible to specify the paths to the files containing the key and certificate chain content. To do that, use the
signPlugin.certificateChainFile properties instead.
Provide Secrets to IDE
To avoid storing hard-coded values in the project configuration, the most suitable method for local development would be using environment variables provided within the Run/Debug Configuration.
To specify secrets like
PUBLISH_TOKEN and values required for the
signPlugin task, modify your Gradle configuration as follows:
In the Run/Debug Configuration for
publishPlugin Gradle task, provide Environment Variables using relevant environment variable names:
CLI tool is required if you don't rely on the Gradle IntelliJ Plugin – i.e. when working with Themes.
To get the latest Marketplace ZIP Signer CLI Tool, visit the JetBrains/marketplace-zip-signer GitHub Releases page. After downloading the marketplace-zip-signer-cli.jar, execute it as below:
Signing for Custom Repositories
Signing plugins hosted on a custom repository can be accomplished for added trust between the repository and installation. However, unlike Marketplace, the custom repository will not re-sign the plugin with the JetBrains key. Instead, a trusted private CA or self-signed certificate can be used to sign and validate plugins.
Before looking at how we can sign a plugin, let's first review how verification works when a non-JetBrains certificate is used. As of 2021.2, during verification, IntelliJ-based IDEs check if the plugin was signed by the JetBrains CA certificate or any public key provided by the user via
intellij.plugins.truststore, pointing to a trusted JKS TrustStore. During verification, the plugin's public key is extracted from the signature. The last certificate entry in the chain matched against the certificates stored in one of the storages from above.
Using a Trusted Internal CA
If an internal CA is available, you can use this to generate certificates for signing. When choosing this route, the certificate chain includes the root CA public key at the end of the chain.
With this approach, existing internal TrustStores may exist and could be used. Be sure when choosing a TrustStore that the CAs are limited to the internal CAs you trust. Using a TrustStore with public CAs can expose the users to an attack vector.
If adding a TrustStore to a users environment is not possible, the user may also add the root CAs public key to.
Using Self-Signed Certificates
Using a self-signed certificate is an option if no internal CAs exist. To generate the key and public key, see: Generate Private Key
If providing users with a TrustStore, you can generate one with the public key using
(note: the TrustStore password must remain
Otherwise, users may add the public key manually to.
Plugin Signature Verification
To verify the signature of a plugin, you can use the
By default, this task will use the same certificate chain as provided to the
signPlugin task in the previous section.
To verify the signature using CLI tool, execute the
verify command as below: