How Do I Sign A War?

I apply the war plugin and have a list of dependencies and gradle builds my war. How do I make it also sign the jars within the war? (it is a Java WebStart war)

I have a keystore (storetype = pkcs12), alias and password.

Gradle’s signing plugin (which has its own chapter in the Gradle User Guide) currently only supports PGP signing, which is probably not what you need. In that case you could search for a third-party plugin (e.g. on the Gradle Plugin Portal), execute the JDK command line tools directly (e.g. using ‘Exec’ task(s)), or perhaps use some JDK API to accomplish the same. Last but not least, if there is an Ant task for this, you can also use that.

Thanks. That’s what I feared. Signing jars seems like a fairly common task. I’m puzzled how you got this far without thinking it was necessary to have a Gradle version though.

The ant task ( is what I am used to.

However, this does make the war process more complicated as I will now have to copy the dependencies locally, sign them with ant, then customise the war task to use the locally signed jars instead of the dependencies.

How would I go about achieving that last part? Is this the standard pattern for doing it?

Or do people use a Maven task like ?

You will indeed have to copy the Jars before signing (unless the Ant task already takes care of this). One option would be to use ‘war.eachFile’ to replace unsigned Jars with signed Jars during creation of the War archive. Another option would be to use a fresh ‘War’ task instead of the ‘war’ plugin. Unlike Ant tasks, Maven Mojos cannot be used with Gradle.

Is it possible to do it all within the war.eachFile block? println file.getFile().getAbsolutePath() lists the jars as within the gradle cache. I don’t want to sign them in there. The ant signjar has an option to specify signedJar but it keeps failing with jarsigner returned: 1

war {
    from(configurations.providedRuntime.files) {
        into "application-jars"
    classpath fileTree('webinf-libs') // adds a file-set to the WEB-INF/lib dir.
    eachFile { file ->
     println file.getFile().getAbsolutePath()
      if ('.jar')) {
               signedJar: file.relativePath,
                alias: 'alias',
                keystore: 'store.key',
                storepass: 'storepass',
                keypass: 'keypass',
                verbose: 'true')

I’d probably add a separate task to do the signing, then use ‘war.eachFile {}’ to point the ‘war’ task to the signed Jars instead of the original Jars.