Integrating signatures into a Tycho build is a matter of adding a plug-in to the build script. In addition, Java properties need to be passed in to provide access to the arguments required by the jarsigner tool.
- Add the plug-in to the parent
pom.xmlfile:<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> - Run
mvn packageand an error is shown:[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner- plugin:1.2:sign (sign) on project com.packtpub.e4.parent: The parameters 'alias' for goal org.apache.maven.plugins:maven-jarsigner-plugin:1.2:sign are missing or invalid -> [Help 1]
- Pass in the arguments required by
jarsigner, which are supplied as Java system properties with ajarsignerprefix as follows (all on one line):mvn package -Djarsigner.alias=packtpub -Djarsigner.keypass=SayK3ys -Djarsigner.storepass=BarC0der -Djarsigner.keystore=/path/to/keystore
- If it is successful, the output should be as follows:
[INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.clock.ui --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.feature --- [INFO] 1 archive(s) processed [INFO] --- maven-jarsigner-plugin:1.2:sign (sign) @ com.packtpub.e4.update --- [INFO] 1 archive(s) processed
- To run the sign step conditionally, a profile can be used. Move the sign plug-in from
buildto a separate top-level elementprofilesinpom.xml:<profiles> <profile> <id>sign</id> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> ... </plugin> </plugins> </build> </profile> </profiles> - Now run the build with
mvn package, and verify that it runs without signing. - Run the build with signing enabled by running
mvn package -Psignto enable thesignprofile; it should ask for the alias, as before. - To automatically enable the sign profile whenever the
jarsigner.aliasproperty is provided, add the following to the profile:<profile> <id>sign</id> <activation> <property> <name>jarsigner.alias</name> </property> </activation> <build> ... </build> </profile> - Now, run the build as
mvn package -Djarstore.alias=packtpub ...to verify that signing runs without needing to specify the-Psignargument.
By adding the maven-jarsigner-plugin to the build, Maven signed any JAR file that was built (including the content.jar and artifacts.jar files, which don't really need to be signed). This is a standard pattern for building any signed Java content in Maven and isn't Tycho or Eclipse-specific.
The parameters to jarsigner are specified as system properties. The -D flag for Maven, like Java, is used to specify a system property on the command line. The maven-jarsigner-plugin reads its properties with a prefix of jarsigner, so the alias is passed as jarsigner.alias and the keystore as jarsigner.store.
Note that the location of the store needs to be specified as a full path, since the plug-in will run with different directories (specifically the "target" directory of the build). Attempting to use a relative path will fail.