CODEWITHSUNDEEP
mavenmaven-jarsigner-plugin
amphibient
amphibient

Reputation: 31212

How to remove signature from dependency jar?

I have a Maven project foo, which is a webstart. In order to be distributable via browser, the contents need to be jarsigned, which I do using maven-jarsigner-plugin:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.4</version>
    <executions>
      <execution>
        <phase>package</phase>
        <id>sign</id>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <keystore>mykeystore.jks</keystore>
      <alias>myalias</alias>
      <storepass>mypass</storepass>
    </configuration>
</plugin>

That part works. However, the utterly awkward scenario is that I need to use some modules from the webstart jar in a server side component, let's call it bar, that runs as a Tomcat module as a war file. I didn't design this -- it's a huge hack so I don't need advice on what a bad design that is. It's a legacy constraint I have to work within for now.

The problem is, when I declare foo as a dependency to bar, it takes the jarsigned foo.jar -- and then I get a java.lang.SecurityException because the rest of bar.war is not signed.

QUESTION: Is there a way for me to either

  1. Save both a signed and unsigned jar in the build process of foo and then call the unsigned as a dependency to bar -- or

  2. Remove the signature in the single signed foo.jar in the dependency declaration within bar's pom.xml?

Upvotes: 2

Views: 2406

Answers (1)

ilooner
ilooner

Reputation: 2550

You can use maven classifiers in conjunction with profiles to achieve what you want. More details about classifiers can be found on this page

  • Have two profiles in your pom: signed and unsigned. Include the jarsigner plguin as part of the signed profile definition.
  • Set the classifier based on the profile that is being used. A good example of setting the artifact's classifier based on the selected profile can be found in this question: Building same project in Maven with different artifactid (based on JDK used)
  • Run the build twice (once for each profile) to produce a signed and unsigned jar.

Upvotes: 2

Related Questions