maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dahanne, Anthony" <Anthony.Daha...@compuware.com>
Subject Maven JarSigner and timestamp authority
Date Thu, 12 May 2011 17:33:08 GMT
Hello Maven users,
I'm in the process of mavenizing an ant build (alright !) but there is a
step, signing, that seems not that obvious to achieve.
I can use the maven jar signer and sign my jars ok , with :

<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-jarsigner-plugin</artifactId>
	<version>1.2</version>
	<executions>
	  <execution>
		<id>sign</id>
		<goals>
		  <goal>sign</goal>
		</goals>
	  </execution>
	  <execution>
		<id>verify</id>
		<goals>
			<goal>verify</goal>
		</goals>
	</execution>
	</executions>
	<configuration>
		  <keystore>${keystore.location}</keystore>
		  <storepass>${keystore.store.password}</storepass>
		  <keypass>${keystore.key.password}</keypass>
		  <alias>${keystore.alias}</alias>
	</configuration>
</plugin>

And setting the variables in my settings.xml.
But, I want more; in fact, the people who used to do the signing with
ant, also timestamped their jars while doing so.
Why ? because imagine your authority expires in 2012, and you signed
your jar in 2011, you do not want your users to have a security warning
when they install and use this jar in 2012+ (since when you signed it
you had the authority to do so back then in 2011; at least this is what
I understood from this process :-P )
So, with ant, they did that :

<signjar alias="${sign.alias}" keystore="${sign.keystore}"
	storepass="${sign.storepass}"
	preservelastmodified="true"
	tsaurl="${tsa.url}">
	<path>
		<fileset dir="${buildDirectory}/buildRepo/plugins">
			<include name="**/com.company*.jar" />
		</fileset>
	</path>
</signjar>

Did you notice that "tsaurl=url" ?
According to the doc, http://ant.apache.org/manual/Tasks/signjar.html
"URL for a timestamp authority for timestamped JAR files in Java1.5+"
Thing is, in maven jar signer, there is not such option :
http://maven.apache.org/plugins/maven-jarsigner-plugin/sign-mojo.html 
Is there a maven plugin to accomplish this ?
If not, should I create a feature request on maven jar signer Jira ?
Or, but I would feel so sorry, should I use the maven ant runner plugin
to do this :-(

Thank you,
Best regards,


Anthony Dahanne
Software Developer
Compuware Montreal
75 Rue Queen, Suite 6500
Montreal, QC, Canada H3C 2N6
+1-514-798-8949


 
Le contenu de ce courriel s'adresse au destinataire seulement. Il contient de l'information
pouvant être confidentielle. Vous ne devez ni le copier ni l'utiliser ni le divulguer à
qui que ce soit à moins que vous soyez le destinataire ou une personne désignée autorisée.
Si vous le receviez par erreur, veuillez nous aviser immédiatement et le détruire.
 
The contents of this e-mail are intended for the named addressee only. It contains information
that may be confidential. Unless you are the named addressee or an authorized designee, you
may not copy or use it, or disclose it to anyone else. If you received it in error please
notify us immediately and then destroy it.
 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


Mime
View raw message