To strengthen artifact integrity and enable long-term signature validation, we should introduce JAR code signing using the Maven Jarsigner Plugin, including trusted timestamping via a Time Stamping Authority (TSA).
Scope
This applies to all JAR-based artifacts produced during the build, including:
*.jar*-sources.jar*-javadoc.jar*-jar-with-dependencies.jar- any additional attached JAR artifacts
Proposed approach
- After packaging, sign all JAR artifacts using the Apache Maven Jarsigner Plugin (https://maven.apache.org/plugins/maven-jarsigner-plugin/)
- Use a configured keystore (PKCS12/JKS) containing the signing key and certificate
- Configure a RFC 3161 TSA URL to obtain a trusted timestamp during signing
- The signing process will:
- compute hashes for all entries inside the JAR
- generate a signature over these hashes
- embed the signature and certificate into the JAR (
META-INF/)
- include a trusted timestamp within the signature block
- Continue to generate detached GPG signatures (
*.asc) for Maven Central compatibility
Result
Each signed JAR will contain embedded signature metadata:
META-INF/
MANIFEST.MF
<SIGNER>.SF
<SIGNER>.RSA
This provides:
- integrity protection for all files inside the JAR
- authentication of the signer via X.509 certificate
- a trusted timestamp proving when the signature was created
Benefits
- protects against post-build modification of JAR contents
- enables verification even after certificate expiration (due to timestamp)
- aligns with established Java code signing practices
- complements existing GPG-based artifact signing
Important notes
- The timestamp is embedded inside the JAR
- This mechanism is JAR/ZIP-specific and does not apply to other artifact types
- Verification is performed using
jarsigner -verify or compatible tooling
Implementation notes
- Integrate signing in the
verify phase (after packaging, before deployment)
- Configure credentials via environment variables or CI secrets
- Ensure signing runs before deployment but independent of GPG signing
To strengthen artifact integrity and enable long-term signature validation, we should introduce JAR code signing using the Maven Jarsigner Plugin, including trusted timestamping via a Time Stamping Authority (TSA).
Scope
This applies to all JAR-based artifacts produced during the build, including:
*.jar*-sources.jar*-javadoc.jar*-jar-with-dependencies.jarProposed approach
META-INF/)*.asc) for Maven Central compatibilityResult
Each signed JAR will contain embedded signature metadata:
This provides:
Benefits
Important notes
jarsigner -verifyor compatible toolingImplementation notes
verifyphase (after packaging, before deployment)