Best practice for signing 3rd party jars automatically downloaded from dependency repository

plugins

(william.r.phillips.jr) #1

We have been asked to code sign all of the jars (including 3rd party jars) in our multi-project build. Our build is quite large with a dozen separate products and over a hundred 3rd party jars which are automatically downloaded from dependency repositories.

I have seen from other posts (like this one from early 2015), that this is possible, but that it adds a large amount of time into the compile process.

Has a best practice for this been established?