We're building a webstart application. For this, we have to sign jars. We use the webstart-maven-plugin, and it does the job well enough. However, we spend a lot of time re-signing the same unchanged jars (various third-party dependencies). They get resigned as a consequence of a clean. This is particularly annoying because we're stuck with java 1.4.2 which signs really slow compare to 1.5
What I'd really like to do, is have signed jars in the repository (local or corporate). Unfortunately, we have some test tools that don't play well with signed jars, so it's not a question of "sign them once and manually install them in place of the original jar". What I think I want to do is use a classifier. I can see three strategies for this: Both strategies involve changing the webstart plugin to ask for jars classified with "signed-by-foo". The question then becomes the best way to install them: A) in a caching-proxy repo, when asked for a jar with classifier "signed-by-foo", it returns the one it has, or it signs it on the fly, caches it and returns it. B) When the plugin cannot get the signed artifact, get the unsigned one, sign it, and install it with the appropriate classifier. There may be elements here that belong in the jar plugin. C) Just do it manually. We're probably talking about 20 third-party jars. If not found the plugin could continue and sign a local copy to use (which would cover the signing for OUR jars) This is really going to get worse as actually have multiple webstart parts (but only 1 is under maven). When we're fully mavened, we'll be signing the same jars over and over in one build. Basically, I'm seeing comments and suggestions on my proposal(s). Many thanks. David --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
