I have a legacy project that requires many third party dependencies. Those dependencies need to be signed. The resulting dependencies along with the swing project, are to be served through a JNLP file. The fact that we need to resign all these dependencies with every build, adds a lot of overhead to the build time. My first attempt to achieve this is to create an external POM file with all these dependencies. The dependencies POM signes them, and when deployed to our internal nexus3, we have them cached. Subsequent builds for the Swing project do not need to sign them as they are already signed.
I tried to use the build-helper maven plugin to attach those dependencies. I was hoping to change their classifiers after signing and retrieve them with <classifier>signed</classifier>. The problem is build-helper attaches only files, and it does not take coordinates. Additionally, it accepts only one file, and the whole dependencies list. Basically, I am trying to accomplish the following steps: 1- Declare the dependencies in the POM/BOM 2- Sign them 3- Assign new classifier "signed" 4- Make them available through an internal repository. What is the best way to achieve this ?
