Integrating signatures into a Tycho build is a matter of adding a plug-in to the build script. In addition, Java properties need to be passed in to provide access to the arguments required by the jarsigner
tool.
pom.xml
file:<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.4</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> <configuration> <verbose>true</verbose> <!-- alias>packtpub</alias --> <keystore>${project.parent.basedir}/keystore</keystore> <!-- storepass>...</storepass --> <!-- keypass>...</keypass --> </configuration> </plugin>
mvn package
and an error is shown:[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:1.4:sign (sign) on project com.packtpub.e4.parent: The parameters 'alias' for goal org.apache.maven.plugins:maven-jarsigner-plugin:1.4:sign are missing or invalid -> [Help 1]
jarsigner
, which can be supplied inside the pom.xml
file or as Java system properties with a jarsigner
prefix as follows (all on one line):mvn package -Djarsigner.alias=packtpub -Djarsigner.keypass=SayK3ys -Djarsigner.storepass=BarC0der
[INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.clock.ui --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.feature --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.4:sign (sign) @ com.packtpub.e4.update --- [INFO] 1 archive(s) processed
build
to a separate top-level element profiles
in the pom.xml
file:<profiles> <profile> <id>sign</id> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> ... </plugin> </plugins> </build> </profile> </profiles>
mvn package
, and verify that it runs without signing. mvn package -Psign
to enable the sign
profile; it should ask for the alias, as before.jarsigner.alias
property is provided, add the following to the profile:<profile> <id>sign</id> <activation> <property> <name>jarsigner.alias</name> </property> </activation> <build> ... </build> </profile>
mvn package -Djarstore.alias=packtpub ...
to verify that signing runs without needing to specify the -Psign
argument. By adding the maven-jarsigner-plugin
to the build, Maven signed any Jar that was built (including the content.jar
and artifacts.jar
, which don't really need to be signed). This is a standard pattern for building any signed Java content in Maven and isn't Tycho or Eclipse specific.
The parameters to jarsigner
are specified as system properties. The -D
flag for Maven, like Java, is used to specify a system property on the command line. The maven-jarsigner-plugin
reads its properties with a prefix of jarsigner
, so the alias is passed as jarsigner.alias
and the keystore as jarsigner.keystore
. Other parameters are documented on the
maven-jarsigner-plugin
page at https://maven.apache.org/plugins/maven-jarsigner-plugin/sign-mojo.html.
Note that the location of the store needs to be specified as a full path, since the plug-in will run with different directories (specifically the target
directory of the build). Attempting to use a relative path will fail. Generally the location of the keystore and the passwords won't be part of the source code repository at all, but configured at build time with the build agent.
3.139.97.157