How can I tell which signed jar is causing maven-shade-plugin to fail?
To run maven-shade-plugin, I have to use to method described here due to signed dependencies, as shown here:
maven-shade
-
The shade plugin is unpacking all of the jars for the dependencies you have included and stuffing their contents into a single jar file. Sort of as if you had written all of it yourself.
The configuration is telling the shade plugin not to move any files which end in .SF, .DSA or .RSA if they are included in a directory called META-INF.
So all you need to do is figure out which jar has those files.
First thing I would do is comment out the filter section and re-build. Then grep your shaded jar for those extensions. It might give you a clue to the package.
The -t option on the jar command will list all of the files in the archive without extracting them. In general jar syntax is pretty similar to tar.
jar -tvf target/myapp-1.0.3-SNAPSHOT.jar | grep -i dsa META-INF/BCKEY.DSAIn my case it was pretty obvious. I had recently added Bouncy Castle as a dependency. BCKEY.DSA seems like it might be the Bouncy Castle Key.
To confirm I just performed the same action on the bouncy castle jar. Since I built this with maven the jar is in my local repository:
tar -tvf .m2/repository/org/bouncycastle/bcprov-jdk15on/1.48/bcprov-jdk15on-1.48.jar | grep -i dsa -rwxrwxrwx 0 0 0 0 Feb 9 2013 META-INF/BCKEY.DSA讨论(0) -
to get list of signed JARs with Maven and bash+awk+sed, one can try something like this:
#!/bin/bash mvn_classpath=`mvn dependency:build-classpath -B | awk '/Dependencies classpath:/{getline; print}' | sed -e s/:/\\\\n/g` for jar in $mvn_classpath; do echo -n `jarsigner -verify $jar | grep verified | wc -l`; echo " $jar"; doneThis will list JAR files used by your project - those that are signed and verified are preceded by 1, the unsigned by 0. I had no signed JAR that would not be possible to verify, so I'm not sure how the logic should look in this case.
讨论(0)
加载中...
- 热议问题