How to sign jar using jarsign without providing -storepass?

Question

Using jarsign without -storepass will prompt for the keystore password, which will break our automated build (no human intervention)

If we use jarsign with -storepass, then this will effectively log the password in cleartext in the build log.

Is there another way to pass storepass without using the command-line?

You could always pipe the input from a separate file. Though this is only slightly more secure because now you have a file stored on the system with passwords in it. — Perception, Apr 17 '12 at 17:42

score 1 · Accepted Answer · answered May 14 '12 at 17:35

1

I wrote a script to call jarsign.

So in the build log, we only see the wrapper script.

Storepass is piped to jarsign so it's not visible on the command-line (as @Perception suggested).

answered May 14 '12 at 17:35

Long Vu

score 0 · Answer 2 · answered Apr 17 '12 at 20:51

0

If you use Maven you could try with the Jarsigner Plugin. There you could load the storepass from a property defined in your settings.xml

answered Apr 17 '12 at 20:51

Carlos Tasada

2 Answers2