如何告诉maven-shade-plugin保留签名？ [英] How to tell the maven-shade-plugin to preserve signatures?

问题描述

我正在使用maven-shade-plugin将两个单独的罐子组合成一个组合罐子。

I am using the maven-shade-plugin to combine two seperate jars into a single combined jar.

其中一个罐子是签名的，而另一个不是。

One of the jars is signed, while the other is not.

如果我使用插件的默认配置，它将构建一个损坏的jar，因为新清单缺少签名所需的摘要。

If I use the default configuration of the plugin, it will build a broken jar as the new manifest is missing the digest needed by the signature.

我可以通过排除签名文件来修复jar，但这当然会导致一个完全未签名的jar。

I could "fix" the jar by excluding the signature files, but this will of course result in a completely unsigned jar.

我正在寻找一种方法来创建一个组合jar，所有已签名的类仍保持签名和有效。 - jar格式允许那些罐子，但我找不到一个简单的方法告诉阴影插件这样做。

I am looking for a way to create a combined jar with all the signed classes remaining signed and valid. - The jar format allows those kind of jars but I could not find an easy way to tell the shade plugin to do so.

我应该写自己的变压器做一个正确合并清单文件，或者在我找不到的shade-plugin中已经有合适的选项了吗？

Should I write my own transformer to do a proper merging of manifest files or is there already a suitable option in the shade-plugin I did not find, yet?

示例：

pom.xml（定义两个模块foo和bar）

pom.xml (defining two modules "foo" and "bar")

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>mygroup</groupId>
  <artifactId>myparent</artifactId>
  <packaging>pom</packaging>
  <version>1.0</version>
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>
  <modules>
    <module>foo</module>
    <module>bar</module>
  </modules>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.4</version>
        <configuration>
          <archive>
            <addMavenDescriptor>false</addMavenDescriptor>
          </archive>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>

foo / pom.xml :(将签名栏组合成unsigned foo）

foo/pom.xml: (combine signed bar into unsigned foo)

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0                              http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>mygroup</groupId>
    <artifactId>myparent</artifactId>
    <version>1.0</version>
  </parent>
  <artifactId>foo</artifactId>
  <dependencies>
    <dependency>
      <groupId>mygroup</groupId>
      <artifactId>bar</artifactId>
      <version>1.0</version>
    </dependency>
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-shade-plugin</artifactId>
        <version>2.3</version>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>shade</goal>
            </goals>
            <configuration>
              <transformers>
                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                  <manifestEntries>
                    <Main-Class>Foo</Main-Class>
                  </manifestEntries>
                </transformer>
              </transformers>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

bar / pom.xml :(创建签名栏）

bar/pom.xml: (create signed bar)

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0                              http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>mygroup</groupId>
    <artifactId>myparent</artifactId>
    <version>1.0</version>
  </parent>
  <artifactId>bar</artifactId>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jarsigner-plugin</artifactId>
        <version>1.3.2</version>
        <configuration>
          <keystore>${user.home}/keystore-name</keystore>
          <alias>alias-name</alias>
          <storepass>123456</storepass>
        </configuration>
        <executions>
          <execution>
            <id>sign</id>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
          <execution>
            <id>verify</id>
            <goals>
              <goal>verify</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

如果两个模块都包含一个hello-word类，我希望 java -jar foo / target / foo-1.0.jar 工作和 jarsigner -verify foo / target / foo-1.0.jar 讲述签名类的存在。

If both modules contain a single hello-word class, I would expect java -jar foo/target/foo-1.0.jar to work and jarsigner -verify foo/target/foo-1.0.jar to tell about the presence of signed classes.

推荐答案

maven shade插件与签名的jar无法很好地协作。我建议你更好地了解 Capsule 方式有点工作。

The maven shade plugin does not play nicely with signed jars. I would recommend you take a look at Capsule that is way better to do this kind of job.

这篇关于如何告诉maven-shade-plugin保留签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！