[ http://jira.codehaus.org/browse/MOJO-263?page=comments#action_57050 ]
Geoffrey De Smet commented on MOJO-263: --------------------------------------- Acegi's jar are good test cases (they are signed by Ben Alex in ibiblio). When unsigning, don't forget to remove META-INF/*.SF and META-INF/*.RSA (case insensitive) An option unsignAnyAlreadySigned would be handy, not to have to note every jar to unsign. Some properties of sign should be able to set in ~/.m2/settings.xml (this should be documented too), such as: path to keyfile, key type, alias, passphrase, etc. It's probably recommended to talk this over with core developers to formalize this in settings.xml as it might be needed for other use cases too. > [webstart] deal with unsigned jars > ---------------------------------- > > Key: MOJO-263 > URL: http://jira.codehaus.org/browse/MOJO-263 > Project: Mojo > Type: New Feature > Components: sandbox > Reporter: Jerome Lacoste > > > There are potential issues when dealing with including such already signed > jars in a webstart application. > In particular see: > http://jira.codehaus.org/browse/MOJO-7#action_49160 > and the relevant m1 jnlp issues: > http://jira.codehaus.org/browse/MPJNLP-20 > http://jira.codehaus.org/browse/MPJNLP-28 > According to the feedback I got on the maven user list, I think that, in > order to satisfy everybody, we need to: > - handle already signed jars (MPJNLP-28) > - primarily we need the possibility to unsign a jar. That will probably go > to jar:unsign. > - optionally avoid signing jars that are already signed. > - optionally clean the Manifest (maven1 jnlp feature, to work around SDK 1.3 > issue - See MPJNLP-20) > Did I miss something? > Now how do we present that to the user? > We could: > - assume that every jar will be signed by default > - let the user list the operation to perform, maybe using something like: > <sign> > <dname>...</dname> > ... > <unsign> > <dependency>...</dependency> > </unsign> > <skipSignedJars>true<skipSignedJars> > <cleanManifest>true</cleanManifest> > </sign> > Does that look correct? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
