What is the syntax for defining a custom signatory?


(David Resnick) #1

I’ve created a new class (org.MySignatory) in buildSrc that extends org.gradle.plugins.signing.signatory.SignatorySupport.

I would like to use it to sign a jar, but have not been able to set it as the signatory for a project.

The following seems the most consistent with the user guide examples and DSL documentation, but the script fails during evaluation with “Could not find method signatory() for arguments [org.MySignatory@2ddc50] on project”

apply plugin: 'signing'
  signing {
    signatory new org.MySignatory()
    sign configurations.archives
}

I’m using version 1.0 milestone 9.


(David Resnick) #2

Is using a custom signatory supported at this time with the signing plugin?


(David Resnick) #3

The following fits the gradle DSL but doesn’t define a signatory.

Building fails with “Cannot perform signing task ‘:proj:signArchives’ because it has no configured signatory”.

signing {
    signatories {
        new org.MySignatory()
    }
    sign configurations.archives
}

(Luke Daley) #4

This is a bit awkward right now. If you provide more info on what you want to achieve I should be able to provide a solution.

At the lowest level, you can inject your own signatory provider…

signing.signatoryProvider = new MySignatoryProvider()

This is the interface to implement


(David Resnick) #5

There is no signatoryProvider method, I think that you meant

signing.signatories = new MySignatoryProvider()

Using this, I am able to pass MySignatory via MySignatoryProvider.

But it seems that PgpSignatory is still active.

First of all, gradle complains because my Signatory is missing a keyId property of type PgpKeyId (which is required regardless of signature type at Sign.groovy:69). Also, an .asc file is generated to the build/libs directory.

Once I added the keyId to my Signatory, my sign(in, out) method is called, being given the jar to be signed in the input stream. But the output stream is ignored.

Even when the sign method of MySignatory is just the following, the output jar is the original unsigned jar:

@Override
public void sign(InputStream toSign, OutputStream signed) {
 signed.write(100)
 signed.flush()
}

So somehow the output from the sign(…) method is being ignored or overridden.

Any ideas?

Thanks, David


(David Resnick) #6

OK, the problem was that I needed to define the signatureTypes as well, and make MySignatureType the default.

signing.signatureTypes = new MySignatureTypeProvider()

Now I have a different question:

Is there any reasonable way to replace the jar that is generated by the jar task with the jar I’ve just signed using my Signatory in the signArchives task?

I didn’t want to make a signature file; rather I wanted to have the jar output signed. Most important is that I don’t want gradle to recreate the jar on every build.


(Luke Daley) #7

The signing plugin was not designed to transform artifacts, but create auxiliary signature files.

This could be possible though, but the API may be a little awkward for it. Some additions to the signing plugin could make this easier.

Contributions are always welcome :slight_smile:


(David Resnick) #8

Right, thanks for the clarification.

For now, a workaround I’ve found is to make my SignatureType extension “jar” and set the project archive extension to “”.