Maven 可以重新签署依赖项吗? [英] Can Maven re-sign dependencies?

问题描述

我正在使用 maven-jarsigner-plugin 来签署我的一个带阴影的 uber-jar.不过，我确实需要在它们自己的 jar 中分发一些依赖项，并且想从 Maven 存储库中获取这些 jar，清除它们的任何现有签名，并使用我自己的证书对其进行签名.

I'm using maven-jarsigner-plugin to sign a shaded uber-jar of mine. I do need to distribute some dependencies in their own jars though, and want to take those jars from a Maven repo, clear them of any existing signatures, and sign them with my own certificate.

是否有任何 Maven 插件可以做到这一点，或者我是否会涉及一些 Ant 插件黑客?

Are there any Maven plugins that do this, or would i involve some Ant plugin hackery?

推荐答案

原来 maven-jarsigner-plugin 可以使用它的 removeExistingSignatures re-sign 现有的 jars 配置元素.好简单！

Turns out maven-jarsigner-plugin can re-sign existing jars using it's removeExistingSignatures config element. So simple!

我在 generate-resources 阶段使用 maven-dependency-plugin 将工件复制到 .war 项目中，然后在 process-resources 中对它们进行签名 阶段.

I use maven-dependency-plugin to copy artifacts into a .war project in the generate-resources phase, then sign them in the process-resources phase.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.8</version>
    <executions>
        <execution>
            <id>copy</id>
            <phase>generate-resources</phase>
            <goals>
                <goal>copy</goal>
            </goals>
            <configuration>
                <artifactItems>
                    <artifactItem>
                        <groupId>org.lwjgl.lwjgl</groupId>
                        <artifactId>lwjgl-platform</artifactId>
                        <version>2.9.0</version>
                        <classifier>natives-osx</classifier>
                        <type>jar</type>
                        <overWrite>true</overWrite>
                        <outputDirectory>src/main/webapp/</outputDirectory>
                        <destFileName>lwjgl-platform-natives-osx.jar</destFileName>
                    </artifactItem>   
                </artifactItems>        
                <outputDirectory>src/main/webapp</outputDirectory>
                <overWriteReleases>true</overWriteReleases>
                <overWriteSnapshots>true</overWriteSnapshots>
            </configuration>
        </execution>
    </executions>
</plugin>

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <version>1.2</version>
    <executions>
        <execution>
            <id>sign</id>
            <phase>process-resources</phase>
        <goals>
            <goal>sign</goal>
            </goals>
    </execution>
    </executions>
    <configuration>
        <keystore>${basedir}/path/to/my.keystore</keystore>
        <alias>alias</alias>
        <storepass>password</storepass>
        <keypass>password</keypass>
        <verbose>true</verbose>
        <archiveDirectory>src/main/webapp/</archiveDirectory>
        <processMainArtifact>false</processMainArtifact>
        <removeExistingSignatures>true</removeExistingSignatures>
    </configuration>
</plugin>

这篇关于Maven 可以重新签署依赖项吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！