I have a Maven project foo, which is a webstart. In order to be distributable via browser, the contents need to be jarsigned, which I do using maven-jarsigner-plugin:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<phase>package</phase>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>mykeystore.jks</keystore>
<alias>myalias</alias>
<storepass>mypass</storepass>
</configuration>
</plugin>
That part works. However, the utterly awkward scenario is that I need to use some modules from the webstart jar in a server side component, let's call it bar, that runs as a Tomcat module as a war file. I didn't design this -- it's a huge hack so I don't need advice on what a bad design that is. It's a legacy constraint I have to work within for now.
The problem is, when I declare foo as a dependency to bar, it takes the jarsigned foo.jar -- and then I get a java.lang.SecurityException because the rest of bar.war is not signed.
QUESTION: Is there a way for me to either
Save both a signed and unsigned jar in the build process of foo and then call the unsigned as a dependency to bar -- or
Remove the signature in the single signed foo.jar in the dependency declaration within bar's
pom.xml?
