I'd like to build an assembly and then sign it. My problem is that the jarsigner signs not the assembly, only the standalone jar file. Could you tell me what is the problem? Maven seems like 'magic' to me after having used Ant for years.. I can't see the way the plugins cooperate and pass information to each other.
After executing mvn install, I get two jar files, one called example-1.0.0-SNAPSHOT.jar and this is signed, and one called example-1.0.0-jar-with-dependencies.jar and this is not signed. I do not need the solo one, only the assembly, but that signed.
Here is my pom.xml:
<build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jarsigner-plugin</artifactId>
                <version>1.2</version>
                <executions>
                    <execution>
                        <id>sign</id>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <keystore>${project.basedir}\keystore\mykeystore</keystore>
                    <alias>myalias</alias>
                    <storepass>...</storepass>
                    <keypass>...</keypass>
                </configuration>
            </plugin>
            <plugin>
                <artifactId>maven-assembly-plugin</artifactId>
                <executions>
                    <execution>
                        <id>make-my-assembly</id>
                        <phase>package</phase>
                        <goals>
                            <goal>single</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <archive>
                        <manifest>
                            <mainClass>com.example.FooBar</mainClass>
                        </manifest>
                    </archive>
                    <appendAssemblyId>true</appendAssemblyId>
                    <descriptorRefs>
                        <descriptorRef>jar-with-dependencies</descriptorRef>
                    </descriptorRefs>
                </configuration>
            </plugin>
        </plugins>
    </build>
In order to compile the project into an executable jar, please run Maven with mvn clean package command.
Signing a jar file, just like using certificates in other contexts, is done so that people using it know where it came from. People may trust that Chris Carruthers isn't going to write malicious code, and so they're willing to allow your applet access to their file system.
The Assembly Plugin for Maven enables developers to combine project output into a single distributable archive that also contains dependencies, modules, site documentation, and other files. Your project can easily build distribution "assemblies" using one of the prefabricated assembly descriptors.
    <configuration>
        <archiveDirectory>${project.build.directory}</archiveDirectory>
        <includes>
           <include>*.jar</include>
        </includes>
        <keystore>${project.basedir}/keystore/mykeystore</keystore>
        <alias>keyalias</alias>
        <storepass>storepass</storepass>
        <keypass>keypass</keypass>
    </configuration>
Refer this http://maven.apache.org/plugins/maven-jarsigner-plugin/sign-mojo.html
You should try to put the maven-assembly-plugin into the prepare-package phase instead of the package phase:
  <plugin>
    <artifactId>maven-assembly-plugin</artifactId>
    <executions>
        <execution>
            <id>make-my-assembly</id>
            <phase>prepare-package</phase>
            <goals>
                <goal>single</goal>
            </goals>
        </execution>
    </executions>
    ...
</plugin>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With