maven-shade-plugin icon indicating copy to clipboard operation
maven-shade-plugin copied to clipboard
verified publisher icon apache

MSHADE-147: Add flag to disable jar signing verification

Open gzsombor opened this issue 3 years ago • 5 comments

This is the rebased fix for https://issues.apache.org/jira/browse/MSHADE-147. The problem is, that certain jar files has an incorrect signature, so the shade plugin couldn't even open it. The solution for this, is a flag, which can disable this jar verification optionally.

Following this checklist to help us incorporate your contribution quickly and easily:

  • [X] Make sure there is a JIRA issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes.
  • [X] Each commit in the pull request should have a meaningful subject line and body.
  • [X] Format the pull request title like [MSHADE-XXX] - Fixes bug in ApproximateQuantiles, where you replace MSHADE-XXX with the appropriate JIRA issue. Best practice is to use the JIRA issue title in the pull request title and in the first line of the commit message.
  • [X] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • [X] Run mvn clean verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
  • [X] You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004 you have to acknowledge this by using the following check-box.

gzsombor avatar Feb 24 '22 19:02 gzsombor

A test would be welcomed.

gnodet avatar Oct 19 '22 20:10 gnodet

Hey i'm running into this trying to shade one of my projects and I think not only this should be finished and we should get the option to avoid this but we also need the logging to be more than a generic "Invalid signature file digest for Manifest main attributes". If you're going to tell me one or more of my dependencies has an invalid signature you should at least tell me which ones so I can take action over that instead of filtering out the signature files of all my dependencies as if they had no use

mauro-rizzi-DSP avatar May 24 '24 19:05 mauro-rizzi-DSP