How can I check a signed jar file using Ant?
An alternative would be to base your build on a maven script.
Maven does propose the jarsigner:verify
plugin
If that is not a valid possibility, you still can use the Exec
Ant task to directly call the jarsigner
command.
If the return code is correctly set, you can add the attribute failonerror
(Stop the build process if the command exits with a return code other than 0.)
The following Ant code can be used for verifying JAR-file signatures. The script will fail as soon as it encounters a JAR-file where the signature is not valid or where it is missing.
Note that ant-contrib is required for the for task.
<!-- Macro to verify whether or not a JAR file is signed -->
<macrodef name="verify-signatures">
<attribute name="filesetref" />
<sequential>
<for param="file">
<path>
<fileset refid="@{filesetref}" />
</path>
<sequential>
<echo message="Verifying signature on file: @{file}" />
<exec executable="jarsigner" failonerror="true">
<arg value="-verify" />
<arg value="@{file}" />
</exec>
<fail message="@{file} must be signed">
<condition>
<not>
<issigned file="@{file}" />
</not>
</condition>
</fail>
</sequential>
</for>
</sequential>
</macrodef>
<!-- Define the list of files to check -->
<fileset dir="p2repo" id="jarfiles">
<include name="**/*.jar" />
</fileset>
<!-- Verify signatures -->
<verify-signatures filesetref="jarfiles" />
Ant conditions offer "issigned".
"Test whether a jarfile is signed. If the name of the signature is passed, the file is checked for presence of that particular signature; otherwise the file is checked for the existence of any signature. It does not perform rigorous signature validation; it only looks for the presence of a signature. This condition was added in Apache Ant 1.7."
From Ant conditions