Is there a way to sign the jars before creating the artifacts.jar?

[reinsch82]

We'd like to sign our 3rd party jars. I tried to use just jarsigner:sign but that causes a problem with the hashes in artifacts.jar. Very likely because they are obviously calculated before I apply the signature.

[sparsick]

3rd party jars are collected by P2 mechanism. Therefore, jarsigner:sign will not work here.

[reinsch82]

ok, yes, what I meant I tried to sign them after creating the p2 repository with p2:site I guess what would be required is a way to execute this step before the artifacts and contents files are created. To my understanding they contain hashes for the jar files and therefore it breaks when using the created p2 repo because the hashes don't match. any Idea how we could do that?

[sparsick]

BND Tool has a sign parameter. Maybe this could work for jars that are modified by bnd. But that means the p2 maven plugin has to be extended.

[reinsch82]

is there a way to recalculate the hashes after the repository creation?

I guess that would be enough for my case. although it might be less handy overall. but it also wouldn't impact the "normal" usage.

[sparsick]

Sorry, I have no idea whether is possible. But I found a similar issue in eclipse collection repository https://github.com/eclipse/eclipse-collections/issues/287 . Maybe this helps you find a solution for you

[sparsick]

Relates to #80