We have several maven projects, which are built on the build server. In some cases we want to sign our deliverables. We use Maven Jarsigner Plugin to do that.
We face the following questions:
We don't want to put our keystore somewhere on our servers and hardcode a path to it. So we just wrapped this keystore in a jar and uploaded it as an artifact to our inner maven repository. When we want to sign a maven project, we download the keystore artifact using the Maven Dependency Plugin and attach signing goal to maven build lifecycle. Here is more detailed information.
In order to hide the passwords for the keystore, we put them into our corporate pom.xml
file. We also think about storing passwords in settings.xml
on the build server.
When a project is built and signed on a developer machine, we sign it with self-signed certificate. But when project is built and signed on a build server, we sign it with our "official" certificate.
Is it a good strategy?
Maven can build a Fat JAR from your Java project. A Fat JAR is a single JAR file that contains all the compiled Java classes from your project, and all compiled Java classes from all JAR files your project depends on (see Maven Dependencies).
Overview. The packaging type is an important aspect of any Maven project. It specifies the type of artifact the project produces. Generally, a build produces a jar, war, pom, or other executable. Maven offers many default packaging types and also provides the flexibility to define a custom one.
I use 2 keystores:
The development keystore password is in the pom.xml
. Here is a snippet of my pom.xml
:
<plugin> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <configuration> <storetype>${keystore.type}</storetype> <keystore>${keystore.path}</keystore> <alias>${keystore.alias}</alias> <storepass>${keystore.store.password}</storepass> <keypass>${keystore.key.password}</keypass> </configuration> </plugin> <!-- ... rest of the pom.xml ... --> <properties> <keystore.path>cert/temp.keystore</keystore.path> <keystore.type>JKS</keystore.type> <keystore.alias>dev</keystore.alias> <keystore.password>dev_password</keystore.password> <keystore.store.password>${keystore.password}</keystore.store.password> <keystore.key.password>${keystore.password}</keystore.key.password> </properties>
In ~/.m2/settings.xml
I defined a codesgining
profile:
<settings> <profiles> <profile> <id>codesigning</id> <properties> <keystore.path>/opt/prod/prod.keystore</keystore.path> <keystore.alias>prod</keystore.alias> <keystore.type>JKS</keystore.type> <keystore.store.password>${keystore.password}</keystore.store.password> <keystore.key.password>${keystore.password}</keystore.key.password> </properties> </profile> </profiles> </settings>
when I want to sign the real certificate I invoke maven with the -Pcodesigning -Dkeystore.password=strongPassword
parameters. I also configured the maven-release-plugin to use the codesigning
profile.
Actually it is possible to store the password in settings.xml
as long as the file is readable by nobody but you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With