Jarsigner不会签署插件依赖项 [英] Jarsigner doesn't sign plugin dependencies
问题描述
在Maven存储库中,我有一个eclipse插件,创建功能需要它.本地依赖项test.branding.plugin已签名,但未从nexus test.plugin.nexus下载.
In a maven repository I have an eclipse plugin, which I need in order to create a feature. The local dependency test.branding.plugin is signed, but the downloaded from nexus test.plugin.nexus isn't.
这就是我在父pom.xml中定义依赖项的方式
This is how I have defined the dependency in my parent pom.xml
<dependencies>
<dependency>
<groupId>test.plugin</groupId>
<artifactId>nexus</artifactId>
<version>1.0.0</version>
</dependency>
</dependencies>
这是pom.xml文件的其余部分.
Here is the rest of the pom.xml file.
<modules>
<module>../test.feature</module>
<module>../test.branding.plugin</module>
<module>../test.p2</module>
</modules>
<build>
<plugins>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-maven-plugin</artifactId>
<version>${tycho-version}</version>
<extensions>true</extensions>
</plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-p2-plugin</artifactId>
<version>${tycho-version}</version>
</plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>target-platform-configuration</artifactId>
<version>${tycho-version}</version>
<configuration>
<resolver>p2</resolver>
<environments>
<environment>
<os>linux</os>
<ws>gtk</ws>
<arch>x86</arch>
</environment>
<environment>
<os>linux</os>
<ws>gtk</ws>
<arch>x86_64</arch>
</environment>
<environment>
<os>win32</os>
<ws>win32</ws>
<arch>x86_64</arch>
</environment>
<environment>
<os>win32</os>
<ws>win32</ws>
<arch>x86</arch>
</environment>
<environment>
<os>macosx</os>
<ws>cocoa</ws>
<arch>x86_64</arch>
</environment>
</environments>
<allowConflictingDependencies>true</allowConflictingDependencies>
<pomDependencies>consider</pomDependencies>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.3.1</version>
<configuration>
<keystore>../test.parent/cert.jks</keystore>
<storepass>storepass</storepass>
<alias>alias</alias>
<keypass>keypass</keypass>
<arguments>
<argument>-sigalg</argument>
<argument>MD5withRSA</argument>
<argument>-digestalg</argument>
<argument>SHA1</argument>
</arguments>
</configuration>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-packaging-plugin</artifactId>
<version>${tycho-version}</version>
<configuration>
<format>yyyyMMdd-HHmm</format>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
有什么想法吗?
推荐答案
您可以使用解决方法来做到这一点.如果将jarsigner放入正常的生命周期,它将仅对模块的构件进行签名.
You can do this with a workaround. If you put jarsigner into your normal lifecycle, it will only sign the artifacts of your modules.
但是,您可以改为将jarsigner插件放入p2模块中,在压缩p2存储库之前对所有jar进行追溯签名.
You can, however put the jarsigner plugin into your p2-module instead, retroactivly signing all your jars before zipping the p2 repository.
要执行此操作,必须在tycho-p2-repository-plugin:assemble-repository和tycho-p2-repository-plugin:archive-repository之间输入jarsigner:sign的调用,即在创建吹出的p2之后但将其压缩之前.由于两个目标都在同一阶段运行,因此您需要一个技巧:
For this to work, you have to enter the call of jarsigner:sign between tycho-p2-repository-plugin:assemble-repository and tycho-p2-repository-plugin:archive-repository, i.e. after the blown out p2 is created, but before it is zipped. Since both goals are run in the same phase, you need a trick:
您需要将tycho-p2-repository-plugin:assemble-repository移至早期阶段(prepare-package).
You need to move tycho-p2-repository-plugin:assemble-repository into an earlier phase (prepare-package).
看看这个例子:
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-p2-repository-plugin</artifactId>
<version>${tycho-version}</version>
<executions>
<execution>
<id>default-assemble-repository</id>
<!-- execute the assemble step in prepare-package -->
<phase>prepare-package</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.3.1</version>
<configuration>
<keystore>../test.parent/cert.jks</keystore>
<storepass>storepass</storepass>
<alias>alias</alias>
<keypass>keypass</keypass>
<arguments>
<argument>-sigalg</argument>
<argument>MD5withRSA</argument>
<argument>-digestalg</argument>
<argument>SHA1</argument>
</arguments>
<archiveDirectory>${project.build.directory}/repository</archiveDirectory>
<includes>
<include>features/*.jar</include>
<!-- potentially only sign specific plugins -->
<include>plugins/*.jar</include>
</includes>
</configuration>
<executions>
<execution>
<id>sign</id>
<phase>prepare-package</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
结果是一个包含所有jar的zip文件.
Result is a zip file containing all jars.
但是,有一个小警告:
工件的大小由于签名而增加,但是artifacts.jar中的相关大小属性未调整.目前这无效(仅在特殊情况下仅用于生成下载进度条),但是使用某些将来的p2实现会可能导致问题.
The size of the artifacts increase due to signing, but the relevant size properties in artifacts.jar are not adjusted. This currently has no effect (it is only used to generate download progress bars in special situations), but it could lead to problems using some future p2 implementation.
更新
似乎知道校验和错误的问题(请参阅: https://bugs.eclipse.org/bugs/show_bug.cgi?id=347041 ).
Seems the problem with the wrong checksum is known (see: https://bugs.eclipse.org/bugs/show_bug.cgi?id=347041).
尝试使用eclipse-maven-signing-plugin进行所有必要的拆包和调整:
Try to use eclipse-maven-signing-plugin to do all the necessary unpacking and adapting:
<plugin>
<!-- <groupId>org.eclipse.dash.maven</groupId> -->
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>eclipse-signing-maven-plugin</artifactId>
<version>1.0.0</version>
<executions>
<execution>
<id>fixMD5Sums</id>
<phase>package</phase>
<goals>
<goal>fixCheckSums</goal>
</goals>
<configuration>
<inputFile>${project.build.directory}/${project.build.finalName}.zip</inputFile>
</configuration>
</execution>
</executions>
</plugin>
这似乎有些过时了,但仍然可以使用. Eclipse-maven-signing-plugin似乎也可以自己完成整个签名过程,但这需要进一步研究.
This seems somewhat outdated, but could still work. Eclipse-maven-signing-plugin seems also to be able to do the whole signing process itself, but this would need further investigation.
这篇关于Jarsigner不会签署插件依赖项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
