Add support for signing jar and taco files using jar_signer

[gaiksaya]

Description

Add support for signing jar and taco files using jar_signer. Please note that jarsigner is already present in current dockerfiles used for building.

docker run --env JAVA_HOME=/opt/java/openjdk-20 -it opensearchstaging/ci-runner:ci-runner-centos7-opensearch-build-v3 /bin/bash
[opensearch@b90575549a20 ~]$ jarsigner --version
jarsigner 20.0.1

See signature validation

common-utils-2.9.0.0-javadoc.jar  8.63 KB / 8.63 KB  (100%)        2023-08-16 16:29:00 INFO     Executing "jarsigner -verify /Users/gaiksaya/opensearch-project/opensearch-build/common-utils-2.9.0.0-javadoc.jar -verbose -certs -strict" in /private/var/folders/kx/fckh1fzj1nl122p3dch9nclrbnsk_0/T/tmph3u2jyo9/src

s        25 Wed Aug 16 23:28:56 PDT 2023 META-INF/MANIFEST.MF

      >>> Signer
      X.509, CN="Amazon Web Services, Inc.", OU=AWS Search Services, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US, SERIALNUMBER=4152954, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
      [certificate is valid from 4/13/23, 5:00 PM to 4/16/24, 4:59 PM]
      X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      [certificate is valid from 4/28/21, 5:00 PM to 4/28/36, 4:59 PM]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      [trusted certificate]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US
      [certificate is valid from 7/13/23, 5:00 PM to 10/13/34, 4:59 PM]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      [certificate is valid from 3/22/22, 5:00 PM to 3/22/37, 4:59 PM]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 7/31/22, 5:00 PM to 11/9/31, 3:59 PM]

        226 Wed Aug 16 23:28:56 PDT 2023 META-INF/SIGNER.SF
      11640 Wed Aug 16 23:28:56 PDT 2023 META-INF/SIGNER.RSA
          0 Tue Jul 18 21:30:14 PDT 2023 META-INF/

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN="Amazon Web Services, Inc.", OU=AWS Search Services, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US, SERIALNUMBER=4152954, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 3072-bit key
  Timestamped by "CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US" on Wed Aug 16 23:28:57 UTC 2023
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 4096-bit key

jar verified.

Warning:
POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.

The signer certificate will expire on 2024-04-16.
The timestamp will expire on 2031-11-09.
2023-08-16 16:29:00 INFO     Done.

Issues Resolved

resolves #3895

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #3894 (1019104) into main (bbdd8ce) will increase coverage by 0.02%.
The diff coverage is 100.00%.

❗ Current head 1019104 differs from pull request most recent head 5580f75. Consider uploading reports for the commit 5580f75 to get more accurate results

@@            Coverage Diff             @@
##             main    #3894      +/-   ##
==========================================
+ Coverage   92.03%   92.06%   +0.02%     
==========================================
  Files         186      187       +1     
  Lines        5639     5660      +21     
==========================================
+ Hits         5190     5211      +21     
  Misses        449      449              

Files Changed	Coverage Δ
src/sign_workflow/sign_args.py	100.00% <100.00%> (ø)
src/sign_workflow/signer_jar.py	100.00% <100.00%> (ø)
src/sign_workflow/signers.py	100.00% <100.00%> (ø)