8

I managed to create main jar, copy dependencies to a single directory, the only step left is to sign all jars.

I can sign my own produced jar as a part of jar:sign, but how do i sign dependencies?

Thanks

tevch
  • 625
  • 6
  • 14

4 Answers4

7

Here are a couple of options:

  1. Use the Maven ant task to run jarsigner from the JDK against all the dependencies.
  2. Use the webstart plugin which can sign all your JARs, even if you aren't using it for the purpose of JNLP-izing your app. I'm using it to actually JNLPize one app.
  3. Look at what the webstart plugin source is doing to iterate over all dependencies and sign them and start a new Maven Plugin/Mojo that does the same thing, sans JNLP.
  4. Onejar your app and its dependencies and just sign that.
approxiblue
  • 6,982
  • 16
  • 51
  • 59
Matthew McCullough
  • 17,160
  • 7
  • 39
  • 38
1

add to plug-in config <archiveDirectory>target</archiveDirectory>

Anuradha
  • 11
  • 1
  • That would be a jarsigner plugin parameter (http://maven.apache.org/plugins/maven-jarsigner-plugin/sign-mojo.html#archiveDirectory), but target is not a good value. The target directory does not correspond to the root of the desired jar. – Eero Nov 29 '10 at 11:30
0

One can also create a single JAR using the maven-assembly-plugin.

Together with the other suggestion by Eric Anderson (of signing another JAR) one can then sign this assembled JAR (instead of the original JAR). Note that the order of the plugin definitions matters here.

It is assumed that sign.keystore.file etc are set elsewhere (e.g. in a profile).

<build>
    <plugins>
        <!-- It seems that maven-assembly-plugin must be declared before the maven-jar-plugin,
             so that it is executed first in the package phase,
             and then the signing of the packaged jar can succeed. -->
        <plugin>
            <artifactId>maven-assembly-plugin</artifactId>
            <version>2.4</version>
            <configuration>
                <descriptorRefs>
                    <descriptorRef>jar-with-dependencies</descriptorRef>
                </descriptorRefs>
                <archive>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
            <executions>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>single</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jar-plugin</artifactId>
            <version>2.4</version>
            <executions>
                <execution>
                    <goals>
                        <goal>jar</goal>
                    </goals>
                </execution>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                    <configuration>
                        <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
                        <keystore>${sign.keystore.file}</keystore>
                        <type>${sign.keystore.type}</type>
                        <storepass>${sign.keystore.storepass}</storepass>
                        <alias>${sign.keystore.alias}</alias>
                        <verify>true</verify>
                        <verbose>false</verbose>
                        <removeExistingSignatures>true</removeExistingSignatures>
                    </configuration>
                </execution>
            </executions>
            <configuration>
                <archive>
                    <manifest>
                        <!-- <addClasspath>true</addClasspath> -->
                    </manifest>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
        </plugin>
    </plugins>
</build>
anre
  • 3,617
  • 26
  • 33
0

If you are using maven-jar-plugin, you can specify which single jar to sign using the "jarPath" setting. The following configuration causes the jar-with-dependencies file to be signed instead of the dependency-less jar file:

<plugin>
    <artifactId>maven-jar-plugin</artifactId>
    <executions>
      <execution>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
      <execution>
        <id>make-assembly</id>
        <phase>package</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <!-- NOTE: The secret key is in shared version control.  The
           password is in shared version control.  This IS NOT
           SECURE.  It's intended to help avoid accidentally
           loading the wrong class, nothing more. -->
      <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
      <keystore>${basedir}/keystore</keystore>
      <alias>SharedSecret</alias>
      <storepass>FOO</storepass>
    </configuration>
  </plugin>

If you want to sign both, I don't know how to do that with maven-jar-plugin, so you may need to look into the other options mentioned above.

Eric Anderson
  • 1,968
  • 2
  • 15
  • 19