Yes I love Maven, for sure. Maven gives you the capability to build project everytime the same and in every environment. I often explain Maven as a brilliant facility manager, who is able to put all the build, test, package and delivery instruments togehter and then build all the stuff according to your building instructions.

But what if I have to sign a JAR file with a code signer certificat? And this certificate is owned by another company, and they will not provide this certifacte to me. How can I setup a project with Maven that let me build and sign the project by a selfsigned certifacte, while my customer other my build server can use the code cert?

First step…

I need a selfsigned code certificat in a keystore. Read the following tutorial on how you can do this http://www.jade-cheng.com/uh/ta/signed-applet-tutorial/. Add this keystore now to the project. My keystore is named awfstore

Once we have done this, let the Maven project know that we want to sign the jar file by adding the following snipped to the build section in the pom.xml.

We are using the “maven-jarsigner-plugin”. The configuration is done by some variables, starting with “sign.”. The values for this variables are definied in the properties:

You can build now the project and it will sign your project with the certificat awf from the awfstore. Replace this values, with your values. But how can we achieve that a Buildserver like Jenkins or Atlassian Bamboo can use other values?

Add the following definition to your pom.xml:

This will activate the Profile compSignerKeyStore, which will override the variables with new settings. This settings can be placed in the setting.xml of your Buildserver or of any developer. It can looks like this:

Have fun

Christian