Prepare re-signing pgm's ueberjar to avoid SecurityException

Since we now sign all build artifacts immediately after creating them we need to re-sign the ueberjar created for jgit command line tool because the signatures of the individual jars are invalidated when repacking them into the ueberjar. Hence we need to exclude the signatures of the individual jars when using maven-shade-plugin to create the ueberjar. Also install the shaded plugin into maven repository and exclude osgi framework sources which were included unintentionally. See http://dev.eclipse.org/mhonarc/lists/jgit-dev/msg02277.html Change-Id: Ia302e68a4b2a9399cb18025274574e31d3d3e407 Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
2013-09-24 09:11:47 +02:00 · 2013-09-24 09:11:47 +02:00 · b4f07df357
parent aa4bbc67b3
commit b4f07df357
1 changed files with 14 additions and 0 deletions
--- a/org.eclipse.jgit.pgm/pom.xml
+++ b/org.eclipse.jgit.pgm/pom.xml
@ -178,6 +178,20 @@
                  </manifestEntries>
                </transformer>
              </transformers>
+              <filters>
+                <!-- exclude the signing data for individual jars, ueberjar will be signed again -->
+                <filter>
+                  <artifact>*:*</artifact>
+                  <excludes>
+                    <exclude>META-INF/*.SF</exclude>
+                    <exclude>META-INF/*.DSA</exclude>
+                    <exclude>META-INF/*.RSA</exclude>
+                    <exclude>OSGI-OPT/**</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+              <shadedArtifactAttached>true</shadedArtifactAttached>
+              <shadedClassifierName>shaded</shadedClassifierName> <!-- Any name that makes sense -->
            </configuration>
          </execution>
        </executions>