Webstart: Force signing of already signed JARs

[t0asti]

Hi all,

I added a profile in the pom.xml of my project (see production profile in petclinic-standalone), to generate a Webstart-version of my client and sign it with my own certificate. Currently it's impossible to start the client via Webstart, as one jar (bcprov-jdk15-133.jar) is signed with a different certificate.

I just grepped through the buildlog and discovered, that the jar is skipped and does actually no get signed with my certificate, as it's already signed with a certificate of the vendor/provider:

Code:

[debug] jarsigner executable=[c:\Programme\Java\jdk1.6.0_01\jre\..\bin\jarsigner.exe]
[debug] Executing: c:\Programme\Java\jdk1.6.0_01\jre\..\bin\jarsigner.exe -verify c:\dev\workspace\rcp-client\target\jnlp\bcprov-jdk15-133.jar
[info] jar verified.
[info] JAR c:\dev\workspace\rcp-client\target\jnlp\bcprov-jdk15-133.jar is already signed. Skipping.

Has anyone some experience on how to modify the pom.xml to sign all dependent jars, regardless of them being already signed or not?

Thanks in advance for any advice,
t0asti

[t0asti]

Okay, I can answer this question myself now, it's a maven issue

After searching for some maven options to avoid the problem, I found the relevant issues:
http://jira.codehaus.org/browse/MJAR-24 (jar-plugin avoids to sign jars twice)
http://jira.codehaus.org/browse/MWEBSTART-1 (webstart does need it though, still open)

[rdawes]

You can get around this issue by using multiple .jnlp files.

I have the same problem with the JavaHelp library, which is signed by Sun. You can see how I tackled it in my project:

POM: http://dawes.za.net/gitweb.cgi?p=daw...om.xml;hb=HEAD

src/main/jnlp/template.vm: http://dawes.za.net/gitweb.cgi?p=daw...ate.vm;hb=HEAD

And the jhelp.jnlp which appears not to be checked in (!) looks like:

Code:

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://dawes.za.net/rogan/webscarab-ng/webstart/lib/" href="help.jnlp">
 <information>
   <title>JavaHelp</title>
   <vendor>Sun Microsystems, Inc.</vendor>
   <offline-allowed/>
 </information>
 <resources>
   <jar href="jhelp-2.0.jar"/>
 </resources>
 <component-desc/>
</jnlp>

[t0asti]

I currently worked my way around it, by removing XFire as a dependency, as I don't need it at the moment. But thanks for your examples, still saw some nice ideas and maybe I'll need one of them.

[ge0ffrey]

Another workaround it is to open the jar, remove the 2 signature files in the META-INF (whoever.rsa an whoever.sf I think) and clean up the manifest mf,
then redeploy that to your m2 repo as version-unsigned