michas
michas

Reputation: 26545

How to tell the maven-shade-plugin to preserve signatures?

I am using the maven-shade-plugin to combine two seperate jars into a single combined jar.

One of the jars is signed, while the other is not.

If I use the default configuration of the plugin, it will build a broken jar as the new manifest is missing the digest needed by the signature.

I could "fix" the jar by excluding the signature files, but this will of course result in a completely unsigned jar.

I am looking for a way to create a combined jar with all the signed classes remaining signed and valid. - The jar format allows those kind of jars but I could not find an easy way to tell the shade plugin to do so.

Should I write my own transformer to do a proper merging of manifest files or is there already a suitable option in the shade-plugin I did not find, yet?


Example:

pom.xml (defining two modules "foo" and "bar")

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>mygroup</groupId>
  <artifactId>myparent</artifactId>
  <packaging>pom</packaging>
  <version>1.0</version>
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>
  <modules>
    <module>foo</module>
    <module>bar</module>
  </modules>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.4</version>
        <configuration>
          <archive>
            <addMavenDescriptor>false</addMavenDescriptor>
          </archive>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>

foo/pom.xml: (combine signed bar into unsigned foo)

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0                              http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>mygroup</groupId>
    <artifactId>myparent</artifactId>
    <version>1.0</version>
  </parent>
  <artifactId>foo</artifactId>
  <dependencies>
    <dependency>
      <groupId>mygroup</groupId>
      <artifactId>bar</artifactId>
      <version>1.0</version>
    </dependency>
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-shade-plugin</artifactId>
        <version>2.3</version>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>shade</goal>
            </goals>
            <configuration>
              <transformers>
                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                  <manifestEntries>
                    <Main-Class>Foo</Main-Class>
                  </manifestEntries>
                </transformer>
              </transformers>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

bar/pom.xml: (create signed bar)

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0                              http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>mygroup</groupId>
    <artifactId>myparent</artifactId>
    <version>1.0</version>
  </parent>
  <artifactId>bar</artifactId>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jarsigner-plugin</artifactId>
        <version>1.3.2</version>
        <configuration>
          <keystore>${user.home}/keystore-name</keystore>
          <alias>alias-name</alias>
          <storepass>123456</storepass>
        </configuration>
        <executions>
          <execution>
            <id>sign</id>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
          <execution>
            <id>verify</id>
            <goals>
              <goal>verify</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

If both modules contain a single hello-word class, I would expect java -jar foo/target/foo-1.0.jar to work and jarsigner -verify foo/target/foo-1.0.jar to tell about the presence of signed classes.

Upvotes: 2

Views: 1778

Answers (1)

gizmo
gizmo

Reputation: 11909

The maven shade plugin does not play nicely with signed jars. I would recommend you take a look at Capsule that is way better to do this kind of job.

Upvotes: 2

Related Questions