Jarsigner doesn't sign plugin dependencies

StackOverflow https://stackoverflow.com/questions/22541301

Question

In a maven repository I have an eclipse plugin, which I need in order to create a feature. The local dependency test.branding.plugin is signed, but the downloaded from nexus test.plugin.nexus isn't.

This is how I have defined the dependency in my parent pom.xml

    <dependencies>
    <dependency>
        <groupId>test.plugin</groupId>
        <artifactId>nexus</artifactId>
        <version>1.0.0</version>
    </dependency>
</dependencies>

Here is the rest of the pom.xml file.

<modules>
    <module>../test.feature</module>
    <module>../test.branding.plugin</module>
    <module>../test.p2</module>
</modules>
<build>
    <plugins>
        <plugin>
            <groupId>org.eclipse.tycho</groupId>
            <artifactId>tycho-maven-plugin</artifactId>
            <version>${tycho-version}</version>
            <extensions>true</extensions>
        </plugin>
        <plugin>
            <groupId>org.eclipse.tycho</groupId>
            <artifactId>tycho-p2-plugin</artifactId>
            <version>${tycho-version}</version>
        </plugin>
        <plugin>
            <groupId>org.eclipse.tycho</groupId>
            <artifactId>target-platform-configuration</artifactId>
            <version>${tycho-version}</version>
            <configuration>
                <resolver>p2</resolver>
                <environments>
                    <environment>
                        <os>linux</os>
                        <ws>gtk</ws>
                        <arch>x86</arch>
                    </environment>
                    <environment>
                        <os>linux</os>
                        <ws>gtk</ws>
                        <arch>x86_64</arch>
                    </environment>
                    <environment>
                        <os>win32</os>
                        <ws>win32</ws>
                        <arch>x86_64</arch>
                    </environment>
                    <environment>
                        <os>win32</os>
                        <ws>win32</ws>
                        <arch>x86</arch>
                    </environment>
                    <environment>
                        <os>macosx</os>
                        <ws>cocoa</ws>
                        <arch>x86_64</arch>
                    </environment>
                </environments>
                <allowConflictingDependencies>true</allowConflictingDependencies>
                <pomDependencies>consider</pomDependencies>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jarsigner-plugin</artifactId>
            <version>1.3.1</version>
            <configuration>
                <keystore>../test.parent/cert.jks</keystore>
                <storepass>storepass</storepass>
                <alias>alias</alias>
                <keypass>keypass</keypass>
                <arguments>
                    <argument>-sigalg</argument>
                    <argument>MD5withRSA</argument>
                    <argument>-digestalg</argument>
                    <argument>SHA1</argument>
                </arguments>
            </configuration>
            <executions>
                <execution>
                    <id>sign</id>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>

    <pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.eclipse.tycho</groupId>
                <artifactId>tycho-packaging-plugin</artifactId>
                <version>${tycho-version}</version>
                <configuration>
                    <format>yyyyMMdd-HHmm</format>
                </configuration>
            </plugin>
        </plugins>
    </pluginManagement>
</build>

Any ideas?

Was it helpful?

Solution

You can do this with a workaround. If you put jarsigner into your normal lifecycle, it will only sign the artifacts of your modules.

You can, however put the jarsigner plugin into your p2-module instead, retroactivly signing all your jars before zipping the p2 repository.

For this to work, you have to enter the call of jarsigner:sign between tycho-p2-repository-plugin:assemble-repository and tycho-p2-repository-plugin:archive-repository, i.e. after the blown out p2 is created, but before it is zipped. Since both goals are run in the same phase, you need a trick:

You need to move tycho-p2-repository-plugin:assemble-repository into an earlier phase (prepare-package).

Have a look at this example:

  <plugin>
    <groupId>org.eclipse.tycho</groupId>
    <artifactId>tycho-p2-repository-plugin</artifactId>
    <version>${tycho-version}</version>
    <executions>
      <execution>
        <id>default-assemble-repository</id>
        <!-- execute the assemble step in prepare-package -->
        <phase>prepare-package</phase>
      </execution>
    </executions>
  </plugin>
  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.3.1</version>
    <configuration>
      <keystore>../test.parent/cert.jks</keystore>
      <storepass>storepass</storepass>
      <alias>alias</alias>
      <keypass>keypass</keypass>
      <arguments>
        <argument>-sigalg</argument>
        <argument>MD5withRSA</argument>
        <argument>-digestalg</argument>
        <argument>SHA1</argument>
      </arguments>
      <archiveDirectory>${project.build.directory}/repository</archiveDirectory>
      <includes>
        <include>features/*.jar</include>
        <!-- potentially only sign specific plugins -->
        <include>plugins/*.jar</include>
      </includes>
    </configuration>
    <executions>
      <execution>
        <id>sign</id>
        <phase>prepare-package</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
  </plugin>

Result is a zip file containing all jars.

However, there is one small caveat:

The size of the artifacts increase due to signing, but the relevant size properties in artifacts.jar are not adjusted. This currently has no effect (it is only used to generate download progress bars in special situations), but it could lead to problems using some future p2 implementation.

Update

Seems the problem with the wrong checksum is known (see: https://bugs.eclipse.org/bugs/show_bug.cgi?id=347041).

Try to use eclipse-maven-signing-plugin to do all the necessary unpacking and adapting:

<plugin>
    <!-- <groupId>org.eclipse.dash.maven</groupId> -->
    <groupId>org.eclipse.jetty.toolchain</groupId>
    <artifactId>eclipse-signing-maven-plugin</artifactId>
    <version>1.0.0</version>
    <executions>
        <execution>
            <id>fixMD5Sums</id>
            <phase>package</phase>
            <goals>
                <goal>fixCheckSums</goal>
            </goals>
            <configuration>
                <inputFile>${project.build.directory}/${project.build.finalName}.zip</inputFile>
            </configuration>
        </execution>
    </executions>
</plugin>

This seems somewhat outdated, but could still work. Eclipse-maven-signing-plugin seems also to be able to do the whole signing process itself, but this would need further investigation.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top