答案 0 :(得分:5)
另一种方法是将您的构建基于maven脚本
Maven提出了jarsigner:verify plugin
如果这不是有效的可能性,您仍然可以使用Exec Ant task直接调用jarsigner命令。
如果正确设置了返回代码,则可以添加属性failonerror(如果命令以0以外的返回代码退出,则停止构建过程。)
答案 1 :(得分:4)
以下Ant代码可用于验证JAR文件签名。一旦遇到签名无效或丢失的JAR文件,脚本将失败。
请注意 for 任务需要 ant-contrib 。
<!-- Macro to verify whether or not a JAR file is signed -->
<macrodef name="verify-signatures">
<attribute name="filesetref" />
<sequential>
<for param="file">
<path>
<fileset refid="@{filesetref}" />
</path>
<sequential>
<echo message="Verifying signature on file: @{file}" />
<exec executable="jarsigner" failonerror="true">
<arg value="-verify" />
<arg value="@{file}" />
</exec>
<fail message="@{file} must be signed">
<condition>
<not>
<issigned file="@{file}" />
</not>
</condition>
</fail>
</sequential>
</for>
</sequential>
</macrodef>
<!-- Define the list of files to check -->
<fileset dir="p2repo" id="jarfiles">
<include name="**/*.jar" />
</fileset>
<!-- Verify signatures -->
<verify-signatures filesetref="jarfiles" />
答案 2 :(得分:3)
Ant条件提供“已签署”。
“测试jar文件是否已签名。如果传递了签名的名称,则检查该文件是否存在该特定签名;否则检查该文件是否存在任何签名。它不执行严格的签名验证;它只查找签名的存在。 这种情况在Apache Ant 1.7中添加。“
答案 3 :(得分:2)
您可以使用Ant中的VerifyJar任务来执行此操作。这是Ant帮助的链接 https://ant.apache.org/manual/Tasks/verifyjar.html
一次验证多个JAR文件的示例代码。
verifyjar keystore="mykeystore" keypass="abc"
storepass="abc" alias="myalias">
<path>
<fileset dir="${build.dir}/signedjar" includes="**/*.jar" />
</path>
</verifyjar>
答案 4 :(得分:1)
基于@torkildr的回答。
可以将宏传递嵌套路径或文件集设置为ant-contrib for task。
<target name="verify-artifacts" description="Just an example of usage">
<verify-artifacts>
<fileset dir="${project.ear.dir}" includes="*.*ar"/>
</verify-artifacts>
</target>
<macrodef name="verify-artifacts">
<element name="artifact-path" implicit="true"/>
<sequential>
<for param="file">
<artifact-path/>
<sequential>
<verify-artifact file="@{file}"/>
</sequential>
</for>
</sequential>
</macrodef>
<macrodef name="verify-artifact">
<attribute name="file"/>
<attribute name="alias" default="${artifact.sign.keystore.alias}"/>
<attribute name="keystore" default="${artifact.sign.keystore.path}"/>
<attribute name="password" default="${artifact.sign.keystore.password}"/>
<sequential>
<if>
<istrue value="${artifact.sign.enabled}"/>
<then>
<echo message="Trying to verify @{file} with alias @{alias} from @{keystore}"/>
<required-macro-param value="@{alias}" prop="artifact.sign.keystore.alias"/>
<required-macro-param value="@{keystore}" prop="artifact.sign.keystore.path"/>
<required-macro-param value="@{password}" prop="artifact.sign.keystore.password"/>
<fail message="Keystore path '@{keystore}' not found">
<condition>
<not><available file="@{keystore}" type="file"/></not>
</condition>
</fail>
<fail message="Artifact '@{file}' not found">
<condition>
<not><available file="@{file}" type="file"/></not>
</condition>
</fail>
<!-- jarsigner -verify -keystore @{keystore} -storepass @{password} @{file} @{alias} -->
<exec executable="jarsigner" failonerror="true">
<arg value="-verify"/>
<arg value="-keystore"/>
<arg value="@{keystore}"/>
<arg value="-storepass"/>
<arg value="@{password}"/>
<arg value="@{file}"/>
<arg value="@{alias}"/>
</exec>
</then>
</if>
</sequential>
</macrodef>
<macrodef name="required-macro-param">
<attribute name="prop"/>
<attribute name="value"/>
<sequential>
<!--<echo message="@{value}"/>-->
<fail message="You must set property '@{prop}'">
<condition>
<and>
<or>
<equals arg1="@{value}" arg2=""/>
<matches string="@{value}" pattern="^\$\{.*?\}$"/>
</or>
<!--<not><isset property="@{prop}"/></not>-->
</and>
</condition>
</fail>
</sequential>
</macrodef>
<macrodef name="sign-artifact">
<attribute name="file"/>
<attribute name="alias" default="${artifact.sign.keystore.alias}"/>
<attribute name="keystore" default="${artifact.sign.keystore.path}"/>
<attribute name="password" default="${artifact.sign.keystore.password}"/>
<sequential>
<if>
<istrue value="${artifact.sign.enabled}"/>
<then>
<echo message="Trying to sign @{file} with alias @{alias} from @{keystore}"/>
<required-macro-param value="@{alias}" prop="artifact.sign.keystore.alias"/>
<required-macro-param value="@{keystore}" prop="artifact.sign.keystore.path"/>
<required-macro-param value="@{password}" prop="artifact.sign.keystore.password"/>
<fail message="Keystore path '@{keystore}' not found">
<condition>
<not><available file="@{keystore}" type="file"/></not>
</condition>
</fail>
<fail message="Artifact '@{file}' not found">
<condition>
<not><available file="@{file}" type="file"/></not>
</condition>
</fail>
<signjar jar="@{file}" alias="@{alias}" keystore="@{keystore}" storepass="@{password}"/>
<fail message="Signature check failed">
<condition>
<not><issigned file="@{file}" name="@{alias}"/></not>
</condition>
</fail>
</then>
</if>
</sequential>
</macrodef>
<macrodef name="sign-artifacts">
<element name="artifact-path" implicit="true"/>
<sequential>
<for param="file">
<artifact-path/>
<sequential>
<sign-artifact file="@{file}"/>
</sequential>
</for>
</sequential>
</macrodef>
<property name="artifact.sign.enabled" value="true"/>
<property name="artifact.sign.keystore.alias" value="alias"/>
<property name="artifact.sign.keystore.path" value="keystore.jks"/>
<property name="artifact.sign.keystore.password" value="pwd"/>