Can Maven re-sign dependencies?

懵懂的女人 提交于 2019-12-05 20:10:52

Turns out maven-jarsigner-plugin can re-sign existing jars using it's removeExistingSignatures config element. So simple!

I use maven-dependency-plugin to copy artifacts into a .war project in the generate-resources phase, then sign them in the process-resources phase.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.8</version>
    <executions>
        <execution>
            <id>copy</id>
            <phase>generate-resources</phase>
            <goals>
                <goal>copy</goal>
            </goals>
            <configuration>
                <artifactItems>
                    <artifactItem>
                        <groupId>org.lwjgl.lwjgl</groupId>
                        <artifactId>lwjgl-platform</artifactId>
                        <version>2.9.0</version>
                        <classifier>natives-osx</classifier>
                        <type>jar</type>
                        <overWrite>true</overWrite>
                        <outputDirectory>src/main/webapp/</outputDirectory>
                        <destFileName>lwjgl-platform-natives-osx.jar</destFileName>
                    </artifactItem>   
                </artifactItems>        
                <outputDirectory>src/main/webapp</outputDirectory>
                <overWriteReleases>true</overWriteReleases>
                <overWriteSnapshots>true</overWriteSnapshots>
            </configuration>
        </execution>
    </executions>
</plugin>

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.2</version>
    <executions>
        <execution>
            <id>sign</id>
            <phase>process-resources</phase>
        <goals>
            <goal>sign</goal>
            </goals>
    </execution>
    </executions>
    <configuration>
        <keystore>${basedir}/path/to/my.keystore</keystore>
        <alias>alias</alias>
        <storepass>password</storepass>
        <keypass>password</keypass>
        <verbose>true</verbose>
        <archiveDirectory>src/main/webapp/</archiveDirectory>
        <processMainArtifact>false</processMainArtifact>
        <removeExistingSignatures>true</removeExistingSignatures>
    </configuration>
</plugin>

I know it is not a really good answer, but I would try a solution in these steps:

  • copy dependencies by maven-dependency-plugin
  • antrun: <unzip> them, strip everything from /META-INF directory except MANIFEST.MF, <jar> again and sign them again by using <jarsign> ant task.

The main problem I have found since I work with maven (quite recently I admit) is that it makes you go through its predefined pipeline, and this kind of things (which is more common than it seems) will make you need some ant hackery as you call it ;)

Never used it, but it seems the webstart-maven-plugin can unsign and sign jars.

http://mojo.codehaus.org/webstart/webstart-maven-plugin/unsign-mojo.html

Hope this help.

Angular University

Using maven:

Create an empty maven jar module per jar that you want to resign, do a maven dependency:unpack of one of the jars, filtering the signature files and copying the files to src/main/java.

Then sign the jar with maven-jarsigned-plugin, the result will be a jar containing the same classes.

An alternative non-maven based:

The above way does not scale well, it would probably be simpler to create a script that follows these steps.

The simplest way to do it would be:

Instead of resigning the jars, consider registering the public key of the signer in your maven repository, meaning you trust the person that created these jars and accept any jars coming from them.

The truth is you already trust them since you are using their code and resigning it, so it would be simpler to configure the repository to accept their signature, in the same way that the repository was already configured by someone to accept your signature.

The repository is linked to a key store containing the public keys of the accepted jar signers, it would be a matter of asking the team that handles the repository to add one more key to their list of trusted signers, they would know how to do that for sure.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!