使用 EV 代码签名创建 Maven JNLP
Maven JNLP creation with EV Code Signing
我正在使用 Maven 和 webstart-maven-plugin 生成一个 JNLP 文件并对我的项目的 jar 文件进行签名。我们只需要更新我们的代码签名证书,自 2017 年 2 月起,提供硬件令牌而不是软件令牌。
根据 GlobalSign 支持页面,使用硬件令牌对 jar 进行签名的正确方法如下(参见 article):
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"
我遵循了那篇文章中描述的所有步骤,现在我正在尝试调整我的 pom.xml 以应用 EV 代码签名证书。
最初我使用了一个密钥库(片段,下面是完整的 pom):
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
现在我正在尝试更新它以使 EV 代码签名工作(片段,下面的完整 pom):
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- I took the alias from the article as an example -->
<verify>true</verify>
</sign>
不过,似乎不支持tsa
、providerClass
和providerArg
,除非我遗漏了什么。我没有找到很多关于 webstart-maven-plugin 的信息,或者它不是最新的,这很遗憾:(
在创建 JNLP 时是否有 another/better 签署 jar 的方法?任何帮助将不胜感激!
pom.xml 代码签名(使用密钥库)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-6</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
pom.xml EV 代码签名(使用 SafeNet 令牌)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- i took the alias from the article as an example -->
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
为什么不使用 javafxpackager?它可以创建 java webstart 和可执行表单并轻松签署。这是 Oracle 推荐的。我已经这样做了很多年并且真的很喜欢它。我正在使用它的 ant 任务,但我相信他们也有一个 maven 插件。
这里有更多信息:
我这几天也遇到了同样的问题。我成功地使用了 "workaround"
解决方法 1(一个 fat jar):
- maven-shade-plugin(这是创建具有依赖关系的 "fat jar" 的简单方法,然后
只需在这个罐子上签名)
- maven-jarsigner-plugin(从令牌签署阴影 jar)
- webstart-maven-plugin(仅用于 jnlp 目的)
这是我的 pom :
<dependencies>
...
</dependencies>
<build>
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>shade</id>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<transformers>
<transformer
implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
<manifestEntries>
<Permissions>all-permissions</Permissions>
</manifestEntries>
</transformer>
</transformers>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign</id>
<phase>package</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>NONE</keystore>
<storepass>******</storepass>
<storetype>PKCS11</storetype>
<tsa>http://rxxxxx.globalsign.com/advanced</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
<alias>xxxxxxxxxxxxx</alias>
<archive>${project.build.directory}/${project.build.FinalName}.${project.packaging}</archive>
<arguments>
<argument>-J-Dhttp.proxyHost=my.proxy.com</argument>
<argument>-J-Dhttp.proxyPort=8080</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo.webstart</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<executions>
<execution>
<id>build-jnlp</id>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<makeArchive>false</makeArchive>
<jnlp>
<inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
<inputTemplate>template.vm</inputTemplate>
<mainClass>test</mainClass>
</jnlp>
</configuration>
</plugin>
</plugins>
</build>
和template.vm:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
<information>
<title>xxxx</title>
<vendor>$project.Organization.Name</vendor>
<homepage href="http://www.mycompany.com" />
<description>$project.Description</description>
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.7+" />
$dependencies
</resources>
<application-desc main-class="$mainClass" />
</jnlp>
解决方法 2(几个 jar):
- maven-jar-plugin(在主 jar 清单中设置所有权限)
- webstart-maven-plugin(仅用于 jnlp 目的)
- maven-jarsigner-plugin(从令牌在 /jnlp 中签署所有 jar)
这是我的 pom :
<dependencies>
...
</dependencies>
<build>
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<id>update-manifest-permissions-entry</id>
<phase>prepare-package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
<configuration>
<archive>
<addMavenDescriptor>false</addMavenDescriptor>
<manifestEntries>
<Permissions>all-permissions</Permissions>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<executions>
<execution>
<id>build-jnlp</id>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<makeArchive>false</makeArchive>
<jnlp>
<inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
<inputTemplate>template.vm</inputTemplate>
<mainClass>test</mainClass>
</jnlp>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign</id>
<phase>install</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>NONE</keystore>
<storepass>xxxxx</storepass>
<storetype>PKCS11</storetype>
<tsa>http://xxx.globalsign.com/xxx</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
<alias>xxxxxxx</alias>
<processMainArtifact>false</processMainArtifact>
<archiveDirectory>${project.build.directory}/jnlp</archiveDirectory>
<arguments>
<argument>-J-Dhttp.proxyHost=myproxy.company.com</argument>
<argument>-J-Dhttp.proxyPort=8080</argument>
</arguments>
</configuration>
</plugin>
</plugins>
</build>
和template.vm:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
<information>
<title>xxxx</title>
<vendor>$project.Organization.Name</vendor>
<homepage href="http://www.mycompany.com" />
<description>$project.Description</description>
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.7+" />
$dependencies
</resources>
<application-desc main-class="$mainClass" />
</jnlp>
免责声明: 我是 javafx-maven-plugin.
的维护者
这已得到报告,现在可用,有关详细信息,请参阅此 link:https://github.com/javafx-maven-plugin/javafx-maven-plugin/issues/291
正如在 javafx-maven-plugin 中已经提到的,这里是实现此功能的解决方案:
<plugin>
<groupId>com.zenjava</groupId>
<artifactId>javafx-maven-plugin</artifactId>
<version>8.8.4-SNAPSHOT</version>
<!-- this configuration is share among all executions -->
<configuration>
<mainClass>fqdn.to.your.MainClass</mainClass>
<description>test signing</description>
<title>launch</title>
<verbose>true</verbose>
<j2seVersion>1.8+</j2seVersion>
<appName>simpleApplicationName</appName>
<!-- this only sets the field inside jar-file -->
<allPermissions>true</allPermissions>
</configuration>
<executions>
<execution>
<!-- required before build-native, creates target/jfx/app -->
<id>create-jfxjar</id>
<phase>package</phase>
<goals>
<goal>build-jar</goal>
</goals>
</execution>
<execution>
<!-- creates target/jfx/web -->
<id>create-jnlp-bundle</id>
<phase>package</phase>
<goals>
<goal>build-native</goal>
</goals>
<!-- this configuration is only specific to this execution -->
<configuration>
<!-- as we only want to create the JNLP-package, use fixed bundler-ID -->
<bundler>jnlp<bundler>
<bundleArguments>
<!-- this makes the JNLP-file having permissions being set -->
<!-- AND it is the trigger for signing jar-files using jarsigner -->
<jnlp.allPermisions>true</jnlp.allPermisions>
<!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
<jnlp.outfile>simpleApplicationName</jnlp.outfile>
</bundleArguments>
<!-- this setting is required for the new "jarsigner"-feature -->
<noBlobSigning>true</noBlobSigning>
<!-- these are required, please change them for your own requirements -->
<keyStoreAlias>myalias</keyStoreAlias>
<keyStorePassword>mypass</keyStorePassword>
<!-- as this keystore is no file, please disable file-checks -->
<skipKeyStoreChecking>true</skipKeyStoreChecking>
<!-- this is new too and required, as PKCS11 does not want some keypass -->
<skipKeypassWhileSigning>true</skipKeypassWhileSigning>
<!-- this is used for additional parameters for the jarsigner command -->
<additionalJarsignerParameters>
<additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
<additionalJarsignerParameter>NONE</additionalJarsignerParameter>
<additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
<additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
<additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
<additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
<additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
<additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
<additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
<additionalJarsignerParameter>${project.basedir}/src/main/resources/token/eToken.config</additionalJarsignerParameter>
<!-- I DO KNOW that this is verbose ... -->
</additionalJarsignerParameters>
<!-- the jnlp-bundler gets a bit messy, lots of files, so we want to mimic "jfx:web"-folder-structure -->
<nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir>
</configuration>
</execution>
</executions>
</plugin>
此版本尚未发布,但可以从 sonatype-repository 获取快照。
我正在使用 Maven 和 webstart-maven-plugin 生成一个 JNLP 文件并对我的项目的 jar 文件进行签名。我们只需要更新我们的代码签名证书,自 2017 年 2 月起,提供硬件令牌而不是软件令牌。
根据 GlobalSign 支持页面,使用硬件令牌对 jar 进行签名的正确方法如下(参见 article):
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"
我遵循了那篇文章中描述的所有步骤,现在我正在尝试调整我的 pom.xml 以应用 EV 代码签名证书。
最初我使用了一个密钥库(片段,下面是完整的 pom):
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
现在我正在尝试更新它以使 EV 代码签名工作(片段,下面的完整 pom):
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- I took the alias from the article as an example -->
<verify>true</verify>
</sign>
不过,似乎不支持tsa
、providerClass
和providerArg
,除非我遗漏了什么。我没有找到很多关于 webstart-maven-plugin 的信息,或者它不是最新的,这很遗憾:(
在创建 JNLP 时是否有 another/better 签署 jar 的方法?任何帮助将不胜感激!
pom.xml 代码签名(使用密钥库)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-6</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>${project.basedir}/src/main/jnlp/my.keystore</keystore>
<keypass>...</keypass>
<storepass>...</storepass>
<alias>...</alias>
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
pom.xml EV 代码签名(使用 SafeNet 令牌)
<profile>
<id>jnlp</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-pack200-impl</artifactId>
<version>1.0-beta-6</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-api-1.7</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- The path where the libraries are stored within the jnlp structure. not required. by default the libraries are within the working directory -->
<libPath>lib</libPath>
<!-- JNLP generation -->
<jnlp>
<mainClass>myApp.ui.MainApp</mainClass>
</jnlp>
<!-- SIGNING -->
<sign>
<keystore>NONE</keystore>
<storetype>PKCS11</storetype>
<storepass>...</storepass>
<tsa>http://timestamp.globalsign.com/scripts/timestamp.dll</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/resources/token/eToken.config</providerArg>
<alias>le-d0e453de-66db-414a-8fa8-0a07cfad66b5</alias> <!-- i took the alias from the article as an example -->
<verify>true</verify>
</sign>
<verbose>true</verbose>
<updateManifestEntries>
<Application-Name>MyApp</Application-Name>
<Permissions>all-permissions</Permissions>
<Codebase>...</Codebase>
<Application-Library-Allowable-Codebase>...</Application-Library-Allowable-Codebase>
<Caller-Allowable-Codebase>...</Caller-Allowable-Codebase>
</updateManifestEntries>
<!-- BUILDING PROCESS -->
<pack200>
<enabled>false</enabled>
</pack200>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.6</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>assemble-all</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
为什么不使用 javafxpackager?它可以创建 java webstart 和可执行表单并轻松签署。这是 Oracle 推荐的。我已经这样做了很多年并且真的很喜欢它。我正在使用它的 ant 任务,但我相信他们也有一个 maven 插件。
这里有更多信息:
我这几天也遇到了同样的问题。我成功地使用了 "workaround"
解决方法 1(一个 fat jar):
- maven-shade-plugin(这是创建具有依赖关系的 "fat jar" 的简单方法,然后 只需在这个罐子上签名)
- maven-jarsigner-plugin(从令牌签署阴影 jar)
- webstart-maven-plugin(仅用于 jnlp 目的)
这是我的 pom :
<dependencies>
...
</dependencies>
<build>
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>shade</id>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<transformers>
<transformer
implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
<manifestEntries>
<Permissions>all-permissions</Permissions>
</manifestEntries>
</transformer>
</transformers>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign</id>
<phase>package</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>NONE</keystore>
<storepass>******</storepass>
<storetype>PKCS11</storetype>
<tsa>http://rxxxxx.globalsign.com/advanced</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
<alias>xxxxxxxxxxxxx</alias>
<archive>${project.build.directory}/${project.build.FinalName}.${project.packaging}</archive>
<arguments>
<argument>-J-Dhttp.proxyHost=my.proxy.com</argument>
<argument>-J-Dhttp.proxyPort=8080</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo.webstart</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<executions>
<execution>
<id>build-jnlp</id>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<makeArchive>false</makeArchive>
<jnlp>
<inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
<inputTemplate>template.vm</inputTemplate>
<mainClass>test</mainClass>
</jnlp>
</configuration>
</plugin>
</plugins>
</build>
和template.vm:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
<information>
<title>xxxx</title>
<vendor>$project.Organization.Name</vendor>
<homepage href="http://www.mycompany.com" />
<description>$project.Description</description>
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.7+" />
$dependencies
</resources>
<application-desc main-class="$mainClass" />
</jnlp>
解决方法 2(几个 jar):
- maven-jar-plugin(在主 jar 清单中设置所有权限)
- webstart-maven-plugin(仅用于 jnlp 目的)
- maven-jarsigner-plugin(从令牌在 /jnlp 中签署所有 jar)
这是我的 pom :
<dependencies>
...
</dependencies>
<build>
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<id>update-manifest-permissions-entry</id>
<phase>prepare-package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
<configuration>
<archive>
<addMavenDescriptor>false</addMavenDescriptor>
<manifestEntries>
<Permissions>all-permissions</Permissions>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-7</version>
<executions>
<execution>
<id>build-jnlp</id>
<phase>package</phase>
<goals>
<goal>jnlp</goal>
</goals>
</execution>
</executions>
<configuration>
<makeArchive>false</makeArchive>
<jnlp>
<inputTemplateResourcePath>${project.basedir}/src/main/jnlp</inputTemplateResourcePath>
<inputTemplate>template.vm</inputTemplate>
<mainClass>test</mainClass>
</jnlp>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign</id>
<phase>install</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>NONE</keystore>
<storepass>xxxxx</storepass>
<storetype>PKCS11</storetype>
<tsa>http://xxx.globalsign.com/xxx</tsa>
<providerClass>sun.security.pkcs11.SunPKCS11</providerClass>
<providerArg>${project.basedir}/src/main/eToken.cfg</providerArg>
<alias>xxxxxxx</alias>
<processMainArtifact>false</processMainArtifact>
<archiveDirectory>${project.build.directory}/jnlp</archiveDirectory>
<arguments>
<argument>-J-Dhttp.proxyHost=myproxy.company.com</argument>
<argument>-J-Dhttp.proxyPort=8080</argument>
</arguments>
</configuration>
</plugin>
</plugins>
</build>
和template.vm:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://www.mycompany.com/poc" href="launch.jnlp">
<information>
<title>xxxx</title>
<vendor>$project.Organization.Name</vendor>
<homepage href="http://www.mycompany.com" />
<description>$project.Description</description>
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.7+" />
$dependencies
</resources>
<application-desc main-class="$mainClass" />
</jnlp>
免责声明: 我是 javafx-maven-plugin.
的维护者这已得到报告,现在可用,有关详细信息,请参阅此 link:https://github.com/javafx-maven-plugin/javafx-maven-plugin/issues/291
正如在 javafx-maven-plugin 中已经提到的,这里是实现此功能的解决方案:
<plugin>
<groupId>com.zenjava</groupId>
<artifactId>javafx-maven-plugin</artifactId>
<version>8.8.4-SNAPSHOT</version>
<!-- this configuration is share among all executions -->
<configuration>
<mainClass>fqdn.to.your.MainClass</mainClass>
<description>test signing</description>
<title>launch</title>
<verbose>true</verbose>
<j2seVersion>1.8+</j2seVersion>
<appName>simpleApplicationName</appName>
<!-- this only sets the field inside jar-file -->
<allPermissions>true</allPermissions>
</configuration>
<executions>
<execution>
<!-- required before build-native, creates target/jfx/app -->
<id>create-jfxjar</id>
<phase>package</phase>
<goals>
<goal>build-jar</goal>
</goals>
</execution>
<execution>
<!-- creates target/jfx/web -->
<id>create-jnlp-bundle</id>
<phase>package</phase>
<goals>
<goal>build-native</goal>
</goals>
<!-- this configuration is only specific to this execution -->
<configuration>
<!-- as we only want to create the JNLP-package, use fixed bundler-ID -->
<bundler>jnlp<bundler>
<bundleArguments>
<!-- this makes the JNLP-file having permissions being set -->
<!-- AND it is the trigger for signing jar-files using jarsigner -->
<jnlp.allPermisions>true</jnlp.allPermisions>
<!-- the JNLP-bundler is a bit picky about its parametes, it does not use <appName> -->
<jnlp.outfile>simpleApplicationName</jnlp.outfile>
</bundleArguments>
<!-- this setting is required for the new "jarsigner"-feature -->
<noBlobSigning>true</noBlobSigning>
<!-- these are required, please change them for your own requirements -->
<keyStoreAlias>myalias</keyStoreAlias>
<keyStorePassword>mypass</keyStorePassword>
<!-- as this keystore is no file, please disable file-checks -->
<skipKeyStoreChecking>true</skipKeyStoreChecking>
<!-- this is new too and required, as PKCS11 does not want some keypass -->
<skipKeypassWhileSigning>true</skipKeypassWhileSigning>
<!-- this is used for additional parameters for the jarsigner command -->
<additionalJarsignerParameters>
<additionalJarsignerParameter>-keystore</additionalJarsignerParameter>
<additionalJarsignerParameter>NONE</additionalJarsignerParameter>
<additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
<additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
<additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
<additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
<additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
<additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
<additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
<additionalJarsignerParameter>${project.basedir}/src/main/resources/token/eToken.config</additionalJarsignerParameter>
<!-- I DO KNOW that this is verbose ... -->
</additionalJarsignerParameters>
<!-- the jnlp-bundler gets a bit messy, lots of files, so we want to mimic "jfx:web"-folder-structure -->
<nativeOutputDir>${project.build.directory}/jfx/web</nativeOutputDir>
</configuration>
</execution>
</executions>
</plugin>
此版本尚未发布,但可以从 sonatype-repository 获取快照。