Can Maven re-sign dependencies?

Question

I'm using maven-jarsigner-plugin to sign a shaded uber-jar of mine. I do need to distribute some dependencies in their own jars though, and want to take those jars from a Maven repo, clear them of any existing signatures, and sign them with my own certificate.

Are there any Maven plugins that do this, or would i involve some Ant plugin hackery?

Answer 1

Turns out maven-jarsigner-plugin can re-sign existing jars using it's removeExistingSignatures config element. So simple!

I use maven-dependency-plugin to copy artifacts into a .war project in the generate-resources phase, then sign them in the process-resources phase.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.8</version>
    <executions>
        <execution>
            <id>copy</id>
            <phase>generate-resources</phase>
            <goals>
                <goal>copy</goal>
            </goals>
            <configuration>
                <artifactItems>
                    <artifactItem>
                        <groupId>org.lwjgl.lwjgl</groupId>
                        <artifactId>lwjgl-platform</artifactId>
                        <version>2.9.0</version>
                        <classifier>natives-osx</classifier>
                        <type>jar</type>
                        <overWrite>true</overWrite>
                        <outputDirectory>src/main/webapp/</outputDirectory>
                        <destFileName>lwjgl-platform-natives-osx.jar</destFileName>
                    </artifactItem>   
                </artifactItems>        
                <outputDirectory>src/main/webapp</outputDirectory>
                <overWriteReleases>true</overWriteReleases>
                <overWriteSnapshots>true</overWriteSnapshots>
            </configuration>
        </execution>
    </executions>
</plugin>

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.2</version>
    <executions>
        <execution>
            <id>sign</id>
            <phase>process-resources</phase>
        <goals>
            <goal>sign</goal>
            </goals>
    </execution>
    </executions>
    <configuration>
        <keystore>${basedir}/path/to/my.keystore</keystore>
        <alias>alias</alias>
        <storepass>password</storepass>
        <keypass>password</keypass>
        <verbose>true</verbose>
        <archiveDirectory>src/main/webapp/</archiveDirectory>
        <processMainArtifact>false</processMainArtifact>
        <removeExistingSignatures>true</removeExistingSignatures>
    </configuration>
</plugin>

Answer 2

I know it is not a really good answer, but I would try a solution in these steps:

• copy dependencies by maven-dependency-plugin
• antrun: <unzip> them, strip everything from /META-INF directory except MANIFEST.MF, <jar> again and sign them again by using <jarsign> ant task.

The main problem I have found since I work with maven (quite recently I admit) is that it makes you go through its predefined pipeline, and this kind of things (which is more common than it seems) will make you need some ant hackery as you call it ;)

Answer 3

Never used it, but it seems the webstart-maven-plugin can unsign and sign jars.

http://mojo.codehaus.org/webstart/webstart-maven-plugin/unsign-mojo.html

Hope this help.

Answer 4

Using maven:

Create an empty maven jar module per jar that you want to resign, do a maven dependency:unpack of one of the jars, filtering the signature files and copying the files to src/main/java.

Then sign the jar with maven-jarsigned-plugin, the result will be a jar containing the same classes.

An alternative non-maven based:

The above way does not scale well, it would probably be simpler to create a script that follows these steps.

The simplest way to do it would be:

Instead of resigning the jars, consider registering the public key of the signer in your maven repository, meaning you trust the person that created these jars and accept any jars coming from them.

The truth is you already trust them since you are using their code and resigning it, so it would be simpler to configure the repository to accept their signature, in the same way that the repository was already configured by someone to accept your signature.

The repository is linked to a key store containing the public keys of the accepted jar signers, it would be a matter of asking the team that handles the repository to add one more key to their list of trusted signers, they would know how to do that for sure.