jar signing - the good and the bad

Wed, 10 Jan 2007 02:38:30 -0800 

I version bumped my project to use the new maven-jar-plugin 2.1, and now I
have access to the jar signing feature.  It works very well, I just added
the following, and now all my jars are signed.  This is great because if two
developers create what then think is the same build on their own machines,
the two jar files are different binaries and have difference checksums
(md5,sha1,etc).  However, if both jars are signed with the same cert, then
the signiture is the same, and we can be sure of a good build.


      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.1</version>        
        <executions>
           <execution>
              <goals>
                 <goal>sign</goal>
              </goals>
           </execution>
        </executions>
        <configuration>
           <keystore>..\build_resources\codeSigning\dev.keystore</keystore>
           <alias>codesign</alias>
           <storepass>topsecretpassword</storepass>
           <keypass>security</keypass>
          
<signedjar>${project.build.directory}/signed/${project.build.finalName}.jar</signedjar>
           <verify>true</verify>
        </configuration>
      </plugin>

So far so good.  Both a signed and a none-signed jar are produced.

However, when I run my full build, of my multi-module project, I hit a
problem with surefire.  I get the error - 
"signer information does not match signer information of other classes in
the same package"

However, even if I run "mvn -X" I can't actually see which jar files it's
complaining about.  The test classpath is not listed.   However, I do have
the same package in two different projects, so I'm guessing it's complaining
about half the package being signed and half being in classes\.

The question is, why is surefire not using the un-signed jar.  I have two
jars:
target\MyJar.jar
target\signed\MyJar.jar

so why is surefire choosing the second one, not the normal one in the normal
place.

Any ideas?

Thanks

David
-- 
View this message in context: 
http://www.nabble.com/jar-signing---the-good-and-the-bad-tf2951737s177.html#a8255327
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to