We have several maven projects, which are built on the build server. In some cases we want to sign our deliverables. We use Maven Jarsigner Plugin to do that.
We face the following questions:
We don't want to put our keystore somewhere on our servers and hardcode a path to it. So we just wrapped this keystore in a jar and uploaded it as an artifact to our inner maven repository. When we want to sign a maven project, we download the keystore artifact using the Maven Dependency Plugin and attach signing goal to maven build lifecycle. Here is more detailed information.
In order to hide the passwords for the keystore, we put them into our corporate pom.xml
file. We also think about storing passwords in settings.xml
on the build server.
When a project is built and signed on a developer machine, we sign it with self-signed certificate. But when project is built and signed on a build server, we sign it with our "official" certificate.
Is it a good strategy?
I use 2 keystores:
The development keystore password is in the pom.xml
. Here is a snippet of my pom.xml
:
<plugin>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.2</version>
<configuration>
<storetype>${keystore.type}</storetype>
<keystore>${keystore.path}</keystore>
<alias>${keystore.alias}</alias>
<storepass>${keystore.store.password}</storepass>
<keypass>${keystore.key.password}</keypass>
</configuration>
</plugin>
<!--
... rest of the pom.xml ...
-->
<properties>
<keystore.path>cert/temp.keystore</keystore.path>
<keystore.type>JKS</keystore.type>
<keystore.alias>dev</keystore.alias>
<keystore.password>dev_password</keystore.password>
<keystore.store.password>${keystore.password}</keystore.store.password>
<keystore.key.password>${keystore.password}</keystore.key.password>
</properties>
In ~/.m2/settings.xml
I defined a codesgining
profile:
<settings>
<profiles>
<profile>
<id>codesigning</id>
<properties>
<keystore.path>/opt/prod/prod.keystore</keystore.path>
<keystore.alias>prod</keystore.alias>
<keystore.type>JKS</keystore.type>
<keystore.store.password>${keystore.password}</keystore.store.password>
<keystore.key.password>${keystore.password}</keystore.key.password>
</properties>
</profile>
</profiles>
</settings>
when I want to sign the real certificate I invoke maven with the -Pcodesigning -Dkeystore.password=strongPassword
parameters. I also configured the maven-release-plugin to use the codesigning
profile.
Actually it is possible to store the password in settings.xml
as long as the file is readable by nobody but you.