当前位置: 文江博客话题详情

maven不仅可以对生成的jar进行签名,还可以对依赖项进行签名

发布于 2024-07-21 02:19:54 字数 123 浏览 5 评论 0原文

我设法创建主 jar,将依赖项复制到单个目录,剩下的唯一步骤是对所有 jar 进行签名。

我可以将自己生成的 jar 作为 jar:sign 的一部分进行签名,但是如何对依赖项进行签名?

谢谢

原文

I managed to create main jar, copy dependencies to a single directory, the only step left is to sign all jars.

I can sign my own produced jar as a part of jar:sign, but how do i sign dependencies?

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

司马昭之心 2024-07-28 02:19:54

这里有几个选项:

  1. 使用 Maven ant 任务从 JDK 针对所有依赖项运行 jarsigner。
  2. 使用 webstart 插件,它可以对您的所有 JAR 进行签名,即使您不是不要将其用于 JNLP 化您的应用程序。 我正在使用它来实际 JNLPize 一个应用程序。
  3. 看看 webstart 插件源正在做什么来迭代所有依赖项并对其进行签名,然后启动一个新的 Maven 插件/Mojo 来执行相同的操作,但无需 JNLP。
  4. Onejar 您的应用及其依赖项,然后对其进行签名。

Here are a couple of options:

  1. Use the Maven ant task to run jarsigner from the JDK against all the dependencies.
  2. Use the webstart plugin which can sign all your JARs, even if you aren't using it for the purpose of JNLP-izing your app. I'm using it to actually JNLPize one app.
  3. Look at what the webstart plugin source is doing to iterate over all dependencies and sign them and start a new Maven Plugin/Mojo that does the same thing, sans JNLP.
  4. Onejar your app and its dependencies and just sign that.
回复 原文
天邊彩虹 2024-07-28 02:19:54

添加到插件配置target

add to plug-in config <archiveDirectory>target</archiveDirectory>

回复 原文
陌路终见情 2024-07-28 02:19:54

如果您使用的是maven-jar-plugin,您可以使用“jarPath”设置指定要签名的单个 jar。 以下配置会导致对 jar-with-dependency 文件进行签名,而不是对无依赖项的 jar 文件进行签名:

<plugin>
    <artifactId>maven-jar-plugin</artifactId>
    <executions>
      <execution>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
      <execution>
        <id>make-assembly</id>
        <phase>package</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <!-- NOTE: The secret key is in shared version control.  The
           password is in shared version control.  This IS NOT
           SECURE.  It's intended to help avoid accidentally
           loading the wrong class, nothing more. -->
      <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
      <keystore>${basedir}/keystore</keystore>
      <alias>SharedSecret</alias>
      <storepass>FOO</storepass>
    </configuration>
  </plugin>

如果您想对两者进行签名,我不知道如何使用 进行签名maven-jar-plugin,因此您可能需要查看上面提到的其他选项。

If you are using maven-jar-plugin, you can specify which single jar to sign using the "jarPath" setting. The following configuration causes the jar-with-dependencies file to be signed instead of the dependency-less jar file:

<plugin>
    <artifactId>maven-jar-plugin</artifactId>
    <executions>
      <execution>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
      <execution>
        <id>make-assembly</id>
        <phase>package</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <!-- NOTE: The secret key is in shared version control.  The
           password is in shared version control.  This IS NOT
           SECURE.  It's intended to help avoid accidentally
           loading the wrong class, nothing more. -->
      <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
      <keystore>${basedir}/keystore</keystore>
      <alias>SharedSecret</alias>
      <storepass>FOO</storepass>
    </configuration>
  </plugin>

If you want to sign both, I don't know how to do that with maven-jar-plugin, so you may need to look into the other options mentioned above.

回复 原文
徒留西风 2024-07-28 02:19:54

还可以使用 maven-assemble-plugin 创建单个 JAR。

结合 Eric Anderson 的另一项建议(签署另一个 JAR),人们可以签署这个组装好的 JAR(而不是原始的 JAR)。 请注意,插件定义的顺序在这里很重要。

假设sign.keystore.file等在其他地方设置(例如在配置文件中)。

<build>
    <plugins>
        <!-- It seems that maven-assembly-plugin must be declared before the maven-jar-plugin,
             so that it is executed first in the package phase,
             and then the signing of the packaged jar can succeed. -->
        <plugin>
            <artifactId>maven-assembly-plugin</artifactId>
            <version>2.4</version>
            <configuration>
                <descriptorRefs>
                    <descriptorRef>jar-with-dependencies</descriptorRef>
                </descriptorRefs>
                <archive>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
            <executions>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>single</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jar-plugin</artifactId>
            <version>2.4</version>
            <executions>
                <execution>
                    <goals>
                        <goal>jar</goal>
                    </goals>
                </execution>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                    <configuration>
                        <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
                        <keystore>${sign.keystore.file}</keystore>
                        <type>${sign.keystore.type}</type>
                        <storepass>${sign.keystore.storepass}</storepass>
                        <alias>${sign.keystore.alias}</alias>
                        <verify>true</verify>
                        <verbose>false</verbose>
                        <removeExistingSignatures>true</removeExistingSignatures>
                    </configuration>
                </execution>
            </executions>
            <configuration>
                <archive>
                    <manifest>
                        <!-- <addClasspath>true</addClasspath> -->
                    </manifest>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
        </plugin>
    </plugins>
</build>

One can also create a single JAR using the maven-assembly-plugin.

Together with the other suggestion by Eric Anderson (of signing another JAR) one can then sign this assembled JAR (instead of the original JAR). Note that the order of the plugin definitions matters here.

It is assumed that sign.keystore.file etc are set elsewhere (e.g. in a profile).

<build>
    <plugins>
        <!-- It seems that maven-assembly-plugin must be declared before the maven-jar-plugin,
             so that it is executed first in the package phase,
             and then the signing of the packaged jar can succeed. -->
        <plugin>
            <artifactId>maven-assembly-plugin</artifactId>
            <version>2.4</version>
            <configuration>
                <descriptorRefs>
                    <descriptorRef>jar-with-dependencies</descriptorRef>
                </descriptorRefs>
                <archive>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
            <executions>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>single</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jar-plugin</artifactId>
            <version>2.4</version>
            <executions>
                <execution>
                    <goals>
                        <goal>jar</goal>
                    </goals>
                </execution>
                <execution>
                    <id>make-assembly</id>
                    <phase>package</phase>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                    <configuration>
                        <jarPath>${project.build.directory}/${project.build.FinalName}-${project.packaging}-with-dependencies.${project.packaging}</jarPath>
                        <keystore>${sign.keystore.file}</keystore>
                        <type>${sign.keystore.type}</type>
                        <storepass>${sign.keystore.storepass}</storepass>
                        <alias>${sign.keystore.alias}</alias>
                        <verify>true</verify>
                        <verbose>false</verbose>
                        <removeExistingSignatures>true</removeExistingSignatures>
                    </configuration>
                </execution>
            </executions>
            <configuration>
                <archive>
                    <manifest>
                        <!-- <addClasspath>true</addClasspath> -->
                    </manifest>
                    <manifestEntries>
                        <!-- ... -->
                    </manifestEntries>
                </archive>
            </configuration>
        </plugin>
    </plugins>
</build>
回复 原文
~没有更多了~

关于作者

夜巴黎

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文