How to sign and deploy runtime dependencies?

Hello,

I’m new to Gradle sand rather new to Java so pardon my ignorance.

I’m continuing a project based on Gradle. The project is a JNLP application (I know it’s going to be removed but we need some maintenance on it) which depends on some open-source libraries (batik, etc.). Currently, those libraries are in the Git repository (and added to compile-time dependencies in build.gradle) and are used to create a fat JAR with the com.github.johnrenglman.shadow plugin.

I would like to get rid of that (the Java side is easy) and fix some weird constructs in build.gradle.

I have been able to compile the project into a regular JAR. My current issues are:

  1. How to sign the external JARs ? I have found some code to sign the main JAR with jarsigner and I have been able to adapt it to sign the external JARs:
task signJar(description: 'to Sign JAR.', group: 'Build'){
	dependsOn jar
	doLast{
		def jarPath = jar.archivePath
		def jksFile = new File(projectDir, "microscopestore")
		exec {
			executable 'jarsigner'
			args '-keystore', jksFile, '-storepass', 'microscope', '-digestalg', 'SHA1', jarPath, 'microscope'
		}
		configurations.compile.files.each { lib ->
		    exec {
		        executable 'jarsigner'
			    args '-keystore', jksFile, '-storepass', 'microscope', '-digestalg', 'SHA1', lib, 'microscope'
		    }
		}
	}
}

However, it modifies the JARs. I am not sure what is the best option here. I have found the signing plugin but I am not sure if it applies here (this discussion seems to indicate that the signing plugin doesn’t sign the JAR as done by jarsigner).

  1. How to upload the signed JARs (both the external ones and our JAR) ? Currently, I use a local repository and the following code:
artifacts {
    archives jar, configurations.compile.files
}

uploadArchives {
    repositories {
       flatDir {
           dirs project.publishPath + project.name + '-' + project.version
       }
    }
}

This works but the project version is appended to the external JAR files which is weird.

Any advice on those points ?

Thanks in advance,
Mathieu

I have simplified some parts. However question 2 remains: how to upload some files without appending the version number ?

I have simplified a lot the upload (in fact I just copy files where I need them).