{"id":15105343,"url":"https://github.com/minecraftforge/gradlejarsigner","last_synced_at":"2025-07-09T01:35:18.121Z","repository":{"id":198081668,"uuid":"670714281","full_name":"MinecraftForge/GradleJarSigner","owner":"MinecraftForge","description":"Simple gradle plugin to sign jar files using the 'jarsigner' tool.","archived":false,"fork":false,"pushed_at":"2023-11-15T03:10:06.000Z","size":89,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-09T11:14:43.670Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MinecraftForge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"patreon":"LexManos"}},"created_at":"2023-07-25T17:01:30.000Z","updated_at":"2023-10-03T19:37:55.000Z","dependencies_parsed_at":"2023-11-15T04:24:20.963Z","dependency_job_id":"79a83776-94f8-4de2-9310-2122be13c663","html_url":"https://github.com/MinecraftForge/GradleJarSigner","commit_stats":null,"previous_names":["minecraftforge/gradlejarsigner"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MinecraftForge%2FGradleJarSigner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MinecraftForge%2FGradleJarSigner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MinecraftForge%2FGradleJarSigner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MinecraftForge%2FGradleJarSigner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MinecraftForge","download_url":"https://codeload.github.com/MinecraftForge/GradleJarSigner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247093290,"owners_count":20882387,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-25T20:23:37.355Z","updated_at":"2025-04-03T23:21:59.620Z","avatar_url":"https://github.com/MinecraftForge.png","language":"Java","readme":"# GradleJarSigner\nThis is a simple gradle plugin that uses ant to execute the [jarsigner](https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html) utility. This embeds a signature in the jar file that can be used to verify its contents haven't been modified and came from a specific source. This does NOT create an external GPG signature file. The built in signing plugin does that.\n\nI made this because I got tired of having to configure everything manually for this in every project, and I wanted to have a simple way of signing data in Github Actions.\n\n### Usage\nI haven't published this to the gradle plugin portal yet so until I do you need to have this in your settings.gradle.\n\n    pluginManagement {\n        repositories {\n            gradlePluginPortal()\n            maven { url = 'https://maven.minecraftforge.net/' }\n        }\n    }\nAnd in your build.gradle\n\n    plugins {\n        id 'net.minecraftforge.gradlejarsigner'\n    }\nThis will add a extension name 'jarSigner' to your project where you can configure the signing information, or you can configure it in each signing task.\n    \n    jarSigner {\n        alias = 'key_name'\n        storePass = 'store_password'\n        keyPass = 'key_password'\n        keyStoreFile = file('keystore_file')\n        // Or you can specify the keystore file as a base64 encoded string.\n        // This is mainly meant to allow it to be passed in via a Github Action Secret\n        keyStoreData = 'aGVsbG8='\n    }\n\nThen to sign the `jar` task you can do `jarSigner.sign(jar)`, this works for any Jar or Zip task.\nYou can also configure the task itself to specify any of the information set in the global config as well as any filters on the data you wish to sign.\n\n    jarSigner.sign(jar) {\n        alias = 'key_name'\n        storePass = 'store_password'\n        keyPass = 'key_password'\n        keyStoreFile = file('keystore_file')\n        exclude 'unsigned.txt'\n    }\n\n### Github Secrets\nA large motivation for this was wanting to use Github Actions and still be able to sign my built files. Github does not allow you to have files as [secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) just strings and the workarounds I found involved committing a encrypted form of your keystore to your repo and then decrypting it during an Action. Instead I decided to allow you to specify the keystore file as a base64 encoded string which can be used as a Secret.\n\nYou can either manually configure the information by pulling the secrets yourself, or I added a simple helper `jarSigner.autoDetect()` which which search the following locations in order:\n\n    if (prefix != null) {\n        project.findProperty(prefix + '.' + prop)\n        System.getenv(prefix + '.' + prop)\n    }\n    project.findProperty(prop)\n    System.getenv(prop)\n`prefix` defaults to `project.name` you can override by calling `jarSigner.autoDetect('prefix')`\n\nFor the following properties:\n\n    jarSigner {\n        alias = 'SIGN_KEY_ALIAS'\n        keyPass = 'SIGN_KEY_PASSWORD'\n        storePass = 'SIGN_KEYSTORE_PASSWORD'\n        keyStoreData = 'SIGN_KEYSTORE_DATA'\n    }\n\n### Conclusion\nI'm sure there are improvements that could be made, but it works good enough for me so this is where I'm at. If you have suggestions for improvements feel free to submit them. But the point of this plugin is to be small, simple, and single purpose.\n","funding_links":["https://patreon.com/LexManos"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fminecraftforge%2Fgradlejarsigner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fminecraftforge%2Fgradlejarsigner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fminecraftforge%2Fgradlejarsigner/lists"}