Skip to content
/ GradleJarSigner Public

Simple gradle plugin to sign jar files using the 'jarsigner' tool.

License

LGPL-2.1, Unknown licenses found

Licenses found

LGPL-2.1
LICENSE
Unknown
LICENSE-header.txt
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MinecraftForge/GradleJarSigner

BranchesTags

Repository files navigation

GradleJarSigner

This is a simple gradle plugin that uses ant to execute the jarsigner utility. This embeds a signature in the jar file that can be used to verify its contents haven't been modified and came from a specific source.

I made this because I got tired of having to configure everything manually for this in every project, and I wanted to have a simple way of signing data in GitHub Actions.

Note

This does not create an external GPG signature file. The built-in signing plugin does that.

Usage

You can apply the plugin by declaring it in your build.gradle file.

plugins {
    id 'net.minecraftforge.gradlejarsigner'
}

This will add an extension named jarSigner to your project where you can configure the signing information.

jarSigner {
    alias = 'key_name'
    storePass = 'store_password'
    keyPass = 'key_password'
    keyStoreFile = file('keystore_file')
    // Or you can specify the keystore file as a base64 encoded string.
    // This is mainly meant to allow it to be passed in via a Github Action Secret
    keyStoreData = 'aGVsbG8='
}

Then, to sign the jar task, you can do jarSigner.sign(jar). This works for any Jar or Zip task.

You can also configure the task itself to specify any of the information set in the global config as well as any filters on the data you wish to sign.

jarSigner.sign(jar) {
    alias = 'key_name'
    storePass = 'store_password'
    keyPass = 'key_password'
    keyStoreFile = file('keystore_file')
    exclude 'unsigned.txt'
}

GitHub Secrets

A large motivation for this was wanting to use GitHub Actions and still be able to sign my built files. GitHub does not allow you to have files as secrets, just strings. The workarounds I found involved committing an encrypted form of your keystore to your repo and then decrypting it during an Action. I instead decided to allow you to specify the keystore file as a base64 encoded string which can be used as a secret.

You can either manually configure the information by pulling the secrets yourself, or I added a simple helper jarSigner.autoDetect() which which search the following locations in order:

if (prefix != null) {
    project.findProperty(prefix + '.' + prop)
    System.getenv(prefix + '.' + prop)
}
project.findProperty(prop)
System.getenv(prop)

prefix defaults to project.name. You can override this by calling jarSigner.autoDetect('prefix').

For the following properties:

jarSigner {
    alias = 'SIGN_KEY_ALIAS'
    keyPass = 'SIGN_KEY_PASSWORD'
    storePass = 'SIGN_KEYSTORE_PASSWORD'
    keyStoreData = 'SIGN_KEYSTORE_DATA'
}

Conclusion

I'm sure there are improvements that could be made, but it works good enough for me so this is where I'm at. If you have suggestions for improvements feel free to submit them. But the point of this plugin is to be small, simple, and single purpose.

About

Simple gradle plugin to sign jar files using the 'jarsigner' tool.

Resources

Readme

License

LGPL-2.1, Unknown licenses found

Licenses found

LGPL-2.1
LICENSE
Unknown
LICENSE-header.txt
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

2 forks
Report repository

Releases

2 tags

Sponsor this project

Packages

No packages published

Contributors 2

  •  
  •  

Languages