How to Sign the jar file in Gradle

Question

I need to Sign the jar file. I did that applying plugin "signing" and add block sign like below:

apply plugin: 'signing' 
signing {
required { gradle.taskGraph.hasTask("makeService") }
sign configurations.archives
}

At the end I am able to add PGP keys and sign the jar but it is signed outside jar file with .asc (testJar.jar.asc).

But I did this in maven , it signs all class info and place the sign files in meta-inf directory.

Is there anyway to sign like that in Gradle ?

Please help I tried googling and forums not able to gain any info.

Is there really no declarative method to do this? – Novaterata Dec 14 '17 at 15:13 — Novaterata, Dec 14 '17 at 15:13

score 7 · Answer 1 · answered Mar 05 '17 at 13:22

//Signing
  // def jarsignerskip = false
  def keystoreFile = new File('urkeystore.jks')
  def keystorepass = 'keystoreP@@S'
  def keyalias = 'selfSigned'

  task signJar(dependsOn: 'jar',description: 'to Sign JAR.',group: 'Build'){

    doLast{
      println ":$project.name:${name}"
      def signdir  = new File("$buildDir/jars/signed")
      signdir.mkdirs()
      ant.signjar(
        destDir: "${signdir.absolutePath}",
                  jar: 'build/jars/*.jar',
                  alias:keyalias,
                  storetype:"jks",
                  keystore:"${keystoreFile.absolutePath}",
                  storepass:keystorepass,
                  verbose:true,
                  preservelastmodified:"true"
      )
    }

  }

It works for me.

If you want jars to be signed every build, add `build.dependsOn signJar` at the end. — Antônio Medeiros, Apr 10 '18 at 02:29

score 3 · Answer 2 · answered Oct 19 '16 at 11:25

ASC is used for a digital signature the archive for publication.

But there you need a signed JAR

At first, do this in console:

1) Create a private key

keytool -genkey -alias test_app_alias -validity 3650  -keystore test_app_sign.jks

As a password, use password123

2) Sign the JAR using your private key

jarsigner -keystore test_app_sign.jks -storepass password123 -keypass password123 build/libs/<name>.jar test_app_alias

3) check that everything is done correctly by looking to the resulting file. Or run the command

jarsigner -verify build/libs/<name>.jar

Add the code in build.gradle. For example:

jar << {
    def passwd = "password123"
    def app_alias = "test_app_alias"
    def jks_file = "test_app_sign.jks"

    def exec_line = "jarsigner -keystore " + jks_file + " -storepass " +
        passwd + " -keypass "+ passwd + " " + jar.archivePath + " " + app_alias
    print  exec_line
    exec_line.execute()
}

Don't forget that if signing fails, the jar file must be deleted, otherwise on the next build run, Gradle will surely think it's up to date and not sign it again. — Hakanai, Mar 27 '18 at 04:21
I know it's old but... this above will just sign the jar, right? How do you generate the `.pom.asc` file using the jks? (For publishing on maven) — JonasVautherin, Apr 04 '23 at 13:49

score 0 · Answer 3 · edited Apr 06 '23 at 11:59

0

This is how I resolved the error message:

jar {
    doLast {
        def exec_line = "jarsigner -keystore " + jks_file + " -storepass " + signer_pass + " -keypass "+ signer_pass + " " + jar.archivePath + " " + signer_alias
        print  exec_line
        exec_line.execute()
        }
}

edited Apr 06 '23 at 11:59

Adrian Mole

49,934
160
51
83

answered Mar 30 '23 at 11:33

Neyoobaba

1

How to Sign the jar file in Gradle

3 Answers3