Integrating signatures into a Tycho build is a matter of adding a plug-in to the build script. In addition, Java properties need to be passed in to provide access to the arguments required by the jarsigner tool.
pom.xml
file:<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin>
mvn package
and an error is shown:[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner- plugin:1.2:sign (sign) on project com.packtpub.e4.parent: The parameters 'alias' for goal org.apache.maven.plugins:maven-jarsigner-plugin:1.2:sign are missing or invalid -> [Help 1]
jarsigner
, which are supplied as Java system properties with a jarsigner
prefix as follows (all on one line):mvn package -Djarsigner.alias=packtpub -Djarsigner.keypass=SayK3ys -Djarsigner.storepass=BarC0der -Djarsigner.keystore=/path/to/keystore
[INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.clock.ui --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.feature --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.update --- [INFO] 1 archive(s) processed
build
to a separate top-level element profiles
in pom.xml
:<profiles> <profile> <id>sign</id> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> ... </plugin> </plugins> </build> </profile> </profiles>
mvn package
, and verify that it runs without signing.mvn package -Psign
to enable the sign
profile; it should ask for the alias, as before.jarsigner.alias
property is provided, add the following to the profile:<profile> <id>sign</id> <activation> <property> <name>jarsigner.alias</name> </property> </activation> <build> ... </build> </profile>
mvn package -Djarstore.alias=packtpub ...
to verify that signing runs without needing to specify the -Psign
argument.By adding the maven-jarsigner-plugin
to the build, Maven signed any JAR file that was built (including the content.jar
and artifacts.jar
files, which don't really need to be signed). This is a standard pattern for building any signed Java content in Maven and isn't Tycho or Eclipse-specific.
The parameters to jarsigner
are specified as system properties. The -D
flag for Maven, like Java, is used to specify a system property on the command line. The maven-jarsigner-plugin
reads its properties with a prefix of jarsigner
, so the alias is passed as jarsigner.alias
and the keystore as jarsigner.store
.
Note that the location of the store needs to be specified as a full path, since the plug-in will run with different directories (specifically the "target" directory of the build). Attempting to use a relative path will fail.