发布签名的罐子到内部回购是否有任何错误?(Is There Anything Wrong With Publishing Signed Jars To An Internal Repo?)

我有我的Java webstart应用程序所需的250个依赖项(大多数是开源的,如spring,commons等)。 每次我进行构建时,我都必须对每一个进行签名,这会减慢我的构建速度。

我想考虑签署一次,然后使用“签名”分类器将它们发布到我的内部联系人,然后在我的gradle脚本中使用依赖项中的分类器。

这有什么不对吗?

I have 250 dependencies (mostly open source ones ones like spring, commons etc) that I need for my Java webstart application. I have to sign every single one of these each time I do a build and it slows my build right down.

I was thinking of signing them once and publishing them to my internal nexus with a "signed" classifier then using the classifier in the dependencies in my gradle script.

Is anything wrong with this?

最满意答案

这是一个好主意,但您应该在pom.xml中定义一个配置文件,以便在需要时(例如在证书更改时)重新签名所有jar

its a good idea, but you should define a profile in your pom.xml to enable resigning all jars when needed (like when certificate changes)

发布签名的罐子到内部回购是否有任何错误?(Is There Anything Wrong With Publishing Signed Jars To An Internal Repo?)

我有我的Java webstart应用程序所需的250个依赖项(大多数是开源的,如spring,commons等)。 每次我进行构建时,我都必须对每一个进行签名,这会减慢我的构建速度。

我想考虑签署一次,然后使用“签名”分类器将它们发布到我的内部联系人,然后在我的gradle脚本中使用依赖项中的分类器。

这有什么不对吗?

I have 250 dependencies (mostly open source ones ones like spring, commons etc) that I need for my Java webstart application. I have to sign every single one of these each time I do a build and it slows my build right down.

I was thinking of signing them once and publishing them to my internal nexus with a "signed" classifier then using the classifier in the dependencies in my gradle script.

Is anything wrong with this?

最满意答案

这是一个好主意,但您应该在pom.xml中定义一个配置文件,以便在需要时(例如在证书更改时)重新签名所有jar

its a good idea, but you should define a profile in your pom.xml to enable resigning all jars when needed (like when certificate changes)