如何从依赖项jar中删除签名? [英] How to remove signature from dependency jar?

问题描述

我有一个Maven项目foo，它是一个webstart.为了通过浏览器进行分发，需要对内容进行jarsigned，我使用maven-jarsigner-plugin:

I have a Maven project foo, which is a webstart. In order to be distributable via browser, the contents need to be jarsigned, which I do using maven-jarsigner-plugin:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.4</version>
    <executions>
      <execution>
        <phase>package</phase>
        <id>sign</id>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <keystore>mykeystore.jks</keystore>
      <alias>myalias</alias>
      <storepass>mypass</storepass>
    </configuration>
</plugin>

该部分有效.但是，非常尴尬的情况是，我需要在服务器端组件中使用来自webstart jar的一些模块，我们称之为bar，它作为war文件作为Tomcat模块运行.我没有设计这个-这是一个巨大的漏洞，所以我不需要关于什么是不良设计的建议.这是我现在必须处理的遗留约束.

That part works. However, the utterly awkward scenario is that I need to use some modules from the webstart jar in a server side component, let's call it bar, that runs as a Tomcat module as a war file. I didn't design this -- it's a huge hack so I don't need advice on what a bad design that is. It's a legacy constraint I have to work within for now.

问题是，当我将foo声明为bar的依赖项时，它将使用jarsigned的foo.jar，然后得到

The problem is, when I declare foo as a dependency to bar, it takes the jarsigned foo.jar -- and then I get a java.lang.SecurityException because the rest of bar.war is not signed.

问题:我有办法

1. 在foo的构建过程中保存有符号和无符号的jar，然后将无符号的jar称为bar或

1. Save both a signed and unsigned jar in the build process of foo and then call the unsigned as a dependency to bar -- or

在bar的pom.xml?

推荐答案

您可以将maven 分类符与配置文件结合使用以实现所需的功能.有关分类器的更多详细信息，请参见在此页面上

You can use maven classifiers in conjunction with profiles to achieve what you want. More details about classifiers can be found on this page

• 您的Pom中有两个配置文件:已签名和未签名.将jarsigner plguin作为 signed 配置文件定义的一部分.
• 根据正在使用的配置文件设置分类器.在此问题中可以找到基于所选配置文件设置工件分类器的一个很好的示例:

• Have two profiles in your pom: signed and unsigned. Include the jarsigner plguin as part of the signed profile definition.
• Set the classifier based on the profile that is being used. A good example of setting the artifact's classifier based on the selected profile can be found in this question: Building same project in Maven with different artifactid (based on JDK used)
• Run the build twice (once for each profile) to produce a signed and unsigned jar.

这篇关于如何从依赖项jar中删除签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！