Okay, I have something that works now J
Just to summarize:
I use proguard to obfuscate a bunch of jars together..
I use keytool to generate a test keystore and a test key.
I use antrun to execute signjar on all the obfuscated jars with the test key.
I use webstart to pull in the other deps (like log4j), sign them with the test
key, create a jnlp-file and zip it all up.
This actually works, though there are a couple of points I am unhappy with:
In order for webstart to consider the obfuscated jars I had to dump them in a
subfolder of ${project.build.directory} and tell webstart to use this subfolder
as workdir.
The webstart plugin disregards the obfuscated jars when looking at which jars
to sign, so I need to sign them myself.
The antrun-signjar thingie overrides the manifest in the jars, so my custom
Main-class entry gets overwritten.
If anyone can tell me how to get webstart to also consider my obfuscated jars,
please do tell.
Kevin: Thanks for all your help. It is very much appreciated.
Regards,
/Henrik
From: Henrik Dohlmann
Sent: 22. oktober 2007 15:39
It would probably be the best to obfuscate each jar separately and get the
profile thingy working.
But: We have a lot of internal APIs between core and a handful of other jars
that we also want to be obfuscated. This is possible by pouring them all into
proguard at the same time and specifying an outputfolder for proguard. This is
the setup I would like to have working with webstart.
So, anyone have a hint to how I can get the webstart plugin to sign/pack200
jars that I have preprocessed? They do get included in the jnlp-file and in the
zip-artefact, but they are not considered for signing/pack200 due to a
timestamp analysis.
I guess this timestamp analysis is made to ensure that signing/pack200 does not
happen on already sigend/pack200 processed files., but it has the effect that
jars I preprocess (with proguard) are not considered as well.
I am thinking about dropping the pack200 step for now and signing the
obfuscated jars before webstart is triggered, but I am unsure how to do this.
The jar:sign expects a jar pom.
So, do I have to do this with an antrun plugin? Or is there something I am
overlooking?
