Integrating signatures into a Tycho build is a matter of adding a plug-in to the build script. In addition, Java properties need to be passed in to provide access to the arguments required by the jarsigner tool.
- Add the plug-in to the parent
pom.xmlfile:<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.4</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> <configuration> <verbose>true</verbose> <!-- alias>packtpub</alias --> <keystore>${project.parent.basedir}/keystore</keystore> <!-- storepass>...</storepass --> <!-- keypass>...</keypass --> </configuration> </plugin> - Run
mvn packageand an error is shown:[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:1.4:sign (sign) on project com.packtpub.e4.parent: The parameters 'alias' for goal org.apache.maven.plugins:maven-jarsigner-plugin:1.4:sign are missing or invalid -> [Help 1]
- Pass in the arguments required by
jarsigner, which can be supplied inside thepom.xmlfile or as Java system properties with ajarsignerprefix as follows (all on one line):mvn package -Djarsigner.alias=packtpub -Djarsigner.keypass=SayK3ys -Djarsigner.storepass=BarC0der
- If it is successful, the output should show:
[INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.clock.ui --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.feature --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.update --- [INFO] 1 archive(s) processed
- To run the sign step conditionally, a profile can be used. Move the jarsigner plugin from the
buildto a separate top-level elementprofilesin thepom.xmlfile:<profiles> <profile> <id>sign</id> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> ... </plugin> </plugins> </build> </profile> </profiles> - Now run the build with
mvn package, and verify that it runs without signing. - Run the build with signing enabled by running
mvn package -Psignto enable thesignprofile; it should ask for the alias, as before. - To automatically enable the sign profile whenever the
jarsigner.aliasproperty is provided, add the following to the profile:<profile> <id>sign</id> <activation> <property> <name>jarsigner.alias</name> </property> </activation> <build> ... </build> </profile> - Now run the build as
mvn package -Djarstore.alias=packtpub ...to verify that signing runs without needing to specify the-Psignargument.
By adding the maven-jarsigner-plugin to the build, Maven signed any Jar that was built (including the content.jar and artifacts.jar, which don't really need to be signed). This is a standard pattern for building any signed Java content in Maven and isn't Tycho or Eclipse specific.
The parameters to jarsigner are specified as system properties. The -D flag for Maven, like Java, is used to specify a system property on the command line. The maven-jarsigner-plugin reads its properties with a prefix of jarsigner, so the alias is passed as jarsigner.alias and the keystore as jarsigner.keystore. Other parameters are documented on the
maven-jarsigner-plugin page at https://maven.apache.org/plugins/maven-jarsigner-plugin/sign-mojo.html.
Note that the location of the store needs to be specified as a full path, since the plug-in will run with different directories (specifically the target directory of the build). Attempting to use a relative path will fail. Generally the location of the keystore and the passwords won't be part of the source code repository at all, but configured at build time with the build agent.