You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@maven.apache.org by diroussel <na...@diroussel.xsmail.com> on 2007/01/10 11:38:06 UTC

jar signing - the good and the bad

I version bumped my project to use the new maven-jar-plugin 2.1, and now I
have access to the jar signing feature.  It works very well, I just added
the following, and now all my jars are signed.  This is great because if two
developers create what then think is the same build on their own machines,
the two jar files are different binaries and have difference checksums
(md5,sha1,etc).  However, if both jars are signed with the same cert, then
the signiture is the same, and we can be sure of a good build.


      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.1</version>        
        <executions>
           <execution>
              <goals>
                 <goal>sign</goal>
              </goals>
           </execution>
        </executions>
        <configuration>
           <keystore>..\build_resources\codeSigning\dev.keystore</keystore>
           <alias>codesign</alias>
           <storepass>topsecretpassword</storepass>
           <keypass>security</keypass>
          
<signedjar>${project.build.directory}/signed/${project.build.finalName}.jar</signedjar>
           <verify>true</verify>
        </configuration>
      </plugin>

So far so good.  Both a signed and a none-signed jar are produced.

However, when I run my full build, of my multi-module project, I hit a
problem with surefire.  I get the error - 
"signer information does not match signer information of other classes in
the same package"

However, even if I run "mvn -X" I can't actually see which jar files it's
complaining about.  The test classpath is not listed.   However, I do have
the same package in two different projects, so I'm guessing it's complaining
about half the package being signed and half being in classes\.

The question is, why is surefire not using the un-signed jar.  I have two
jars:
target\MyJar.jar
target\signed\MyJar.jar

so why is surefire choosing the second one, not the normal one in the normal
place.

Any ideas?

Thanks

David
-- 
View this message in context: http://www.nabble.com/jar-signing---the-good-and-the-bad-tf2951737s177.html#a8255327
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: jar signing - the good and the bad

Posted by diroussel <na...@diroussel.xsmail.com>.

Great, I get alot further now.  You are very helpful Tom.

All my jars build ok and get signed.

It's just when it gets to the EJBs that is falls over now.

There exists a jar TATTestEJB\target\TATTestEJB.jar
But the jarsigner is looking for  TATTestEJB\target\TATTestEJB.ejb

I'm using maven-ejb-plugin 2.0 (latest release).  Do I need to do special
config for non-jar artifacts?

Thanks

David


Tom Huybrechts wrote:
> 
> Now you're instructing the normal jar:jar to also build the jar with a
> classifier.
> 
> Move the configuration inside the execution so that it will only
> effect the jar:sign.
> 
> Tom
> 

-- 
View this message in context: http://www.nabble.com/jar-signing---the-good-and-the-bad-tf2951737s177.html#a8274897
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: jar signing - the good and the bad

Posted by Tom Huybrechts <to...@gmail.com>.

Now you're instructing the normal jar:jar to also build the jar with a
classifier.

Move the configuration inside the execution so that it will only
effect the jar:sign.

Tom


On 1/10/07, diroussel <na...@diroussel.xsmail.com> wrote:
>
> Ah, ok that makes sense.
>
> *goes off the look at classifiers*
>
> I've now changed my config to:
>
>
>       <plugin>
>         <groupId>org.apache.maven.plugins</groupId>
>         <artifactId>maven-jar-plugin</artifactId>
>         <version>2.1</version>
>         <executions>
>            <execution>
>               <goals>
>                  <goal>sign</goal>
>               </goals>
>            </execution>
>         </executions>
>         <configuration>
>            <classifier>signed</classifier>
>            <keystore>..\build_resources\codeSign\dev.keystore</keystore>
>            <alias>codesign</alias>
>            <storepass>mypass</storepass>
>            <keypass>mypass</keypass>
>
> <signedjar>${project.build.directory}/signed/${project.build.finalName}.jar</signedjar>
>            <verify>true</verify>
>         </configuration>
>       </plugin>
>
> But I get a error from jarsigner.exe that it can't find the jar, and indeed
> in my target I see:
> target\Base_J2SE-signed.jar
> target\signed\
>
> there is no unsigned jar! it's been removed.  Also the signed jar is not
> going in the 'signedjar' location.
>
> I think another problem is compounding this, I think the goal is being run
> twice.   As before I made this change it was signing the jar, then signing
> it again, then saying jar was already signed.
>
> Am I setting the classifier correctly?
>
> Thanks
>
> David
>
>
> Tom Huybrechts wrote:
> >
> > the JarSignMojo signs the original jar, and then does
> > project.getArtifact().setFile(signedJar) which basically tells all
> > later plugins that this is the output of this project.
> > That's probably why surefire is usign the signed jar.
> > If you want to avoid this, assign a classifier to the signed jar.
> >
> > Tom
> >
> > On 1/10/07, Christian Goetze <cg...@miaow.com> wrote:
> >> diroussel wrote:
> >>
> >> >The question is, why is surefire not using the un-signed jar.  I have
> >> two
> >> >jars:
> >> >target\MyJar.jar
> >> >target\signed\MyJar.jar
> >> >
> >> >so why is surefire choosing the second one, not the normal one in the
> >> normal
> >> >place.
> >> >
> >> >Any ideas?
> >> >
> >> >
> >> >
> >> No ideas here, sorry....
> >>
> >> Just wanted to add my opinion that the jar signing should really be in
> >> the assembly plugin. It is not very useful to have it in the jar plugin,
> >> since all the third party jars which get pulled in via transitive
> >> dependencies won't get signed.
> >>
> >> Currently, I do the jar signing as a post-processing step outside of
> >> maven, for that reason. A pity, if you ask me...
> >> --
> >> cg
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: users-help@maven.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/jar-signing---the-good-and-the-bad-tf2951737s177.html#a8262407
> Sent from the Maven - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: jar signing - the good and the bad

Posted by diroussel <na...@diroussel.xsmail.com>.

Ah, ok that makes sense.

*goes off the look at classifiers*

I've now changed my config to:


      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.1</version>    
        <executions>
           <execution>
              <goals>
                 <goal>sign</goal>
              </goals>
           </execution>
        </executions>
        <configuration>
           <classifier>signed</classifier>
           <keystore>..\build_resources\codeSign\dev.keystore</keystore>
           <alias>codesign</alias>
           <storepass>mypass</storepass>
           <keypass>mypass</keypass>
          
<signedjar>${project.build.directory}/signed/${project.build.finalName}.jar</signedjar>
           <verify>true</verify>
        </configuration>
      </plugin>

But I get a error from jarsigner.exe that it can't find the jar, and indeed
in my target I see:
target\Base_J2SE-signed.jar
target\signed\

there is no unsigned jar! it's been removed.  Also the signed jar is not
going in the 'signedjar' location.

I think another problem is compounding this, I think the goal is being run
twice.   As before I made this change it was signing the jar, then signing
it again, then saying jar was already signed.

Am I setting the classifier correctly?

Thanks

David


Tom Huybrechts wrote:
> 
> the JarSignMojo signs the original jar, and then does
> project.getArtifact().setFile(signedJar) which basically tells all
> later plugins that this is the output of this project.
> That's probably why surefire is usign the signed jar.
> If you want to avoid this, assign a classifier to the signed jar.
> 
> Tom
> 
> On 1/10/07, Christian Goetze <cg...@miaow.com> wrote:
>> diroussel wrote:
>>
>> >The question is, why is surefire not using the un-signed jar.  I have
>> two
>> >jars:
>> >target\MyJar.jar
>> >target\signed\MyJar.jar
>> >
>> >so why is surefire choosing the second one, not the normal one in the
>> normal
>> >place.
>> >
>> >Any ideas?
>> >
>> >
>> >
>> No ideas here, sorry....
>>
>> Just wanted to add my opinion that the jar signing should really be in
>> the assembly plugin. It is not very useful to have it in the jar plugin,
>> since all the third party jars which get pulled in via transitive
>> dependencies won't get signed.
>>
>> Currently, I do the jar signing as a post-processing step outside of
>> maven, for that reason. A pity, if you ask me...
>> --
>> cg
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/jar-signing---the-good-and-the-bad-tf2951737s177.html#a8262407
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: jar signing - the good and the bad

Posted by Tom Huybrechts <to...@gmail.com>.

the JarSignMojo signs the original jar, and then does
project.getArtifact().setFile(signedJar) which basically tells all
later plugins that this is the output of this project.
That's probably why surefire is usign the signed jar.
If you want to avoid this, assign a classifier to the signed jar.

Tom

On 1/10/07, Christian Goetze <cg...@miaow.com> wrote:
> diroussel wrote:
>
> >The question is, why is surefire not using the un-signed jar.  I have two
> >jars:
> >target\MyJar.jar
> >target\signed\MyJar.jar
> >
> >so why is surefire choosing the second one, not the normal one in the normal
> >place.
> >
> >Any ideas?
> >
> >
> >
> No ideas here, sorry....
>
> Just wanted to add my opinion that the jar signing should really be in
> the assembly plugin. It is not very useful to have it in the jar plugin,
> since all the third party jars which get pulled in via transitive
> dependencies won't get signed.
>
> Currently, I do the jar signing as a post-processing step outside of
> maven, for that reason. A pity, if you ask me...
> --
> cg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: jar signing - the good and the bad

Posted by Christian Goetze <cg...@miaow.com>.

diroussel wrote:

>The question is, why is surefire not using the un-signed jar.  I have two
>jars:
>target\MyJar.jar
>target\signed\MyJar.jar
>
>so why is surefire choosing the second one, not the normal one in the normal
>place.
>
>Any ideas?
>
>  
>
No ideas here, sorry....

Just wanted to add my opinion that the jar signing should really be in 
the assembly plugin. It is not very useful to have it in the jar plugin, 
since all the third party jars which get pulled in via transitive 
dependencies won't get signed.

Currently, I do the jar signing as a post-processing step outside of 
maven, for that reason. A pity, if you ask me...
--
cg

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org