Java Web Start requires signed 3rd party JARs, best practice for caching signed 3rd party JARs

I’ve been looking at how to create a task, plugin or multiple plugins to solve a very lengthy part of our build process: 3rd party JAR signing

The fact that 3rd party JARs need to be signed for an application to use Java Web Start is quite a pain, but required by the spec. When we are sourcing all of our 3rd party JARs from repositories the process of locating and incorporating these artifacts into our final bundle ends up complicating the prospect of building a plugin/task that would cache these files rather than signing them every time.

There are a few pieces to this puzzle I don’t quite understand. From an overall perspective, what’s the best way to accomplish not signing these jars that have been signed already in previous runs?

My ideas

  1. Create a task that accesses all the dependencies of the target Project and programmatically sign these JAR files via ant.signjar -> I am doing this currently, but I am not caching these files. This task is done on every build and takes 10s of minutes -> I would only want to cache versioned dependencies. This is a multi-project build, and I don’t want to cache signed JARs of the other projects in the multi-project build 2. Is it possible to sign these JARs and publish them to a repo where the Web Start project would look for signed artifacts, then fall back on signing the unsigned artifact of the same name? 3. Is it possible to sign these JARs and do something less permanent than a publish, maybe just a copy to a directory that would not be removed during a gradle clean, that is defined by an environment variable? This seems a bit hacky, but is probably the most attainable given my limited knowledge at this point