See options.

Archive to process. If set, neither the project artifact nor any attachments or archive sets are processed.

The base directory to scan for JAR files using Ant-like inclusion/exclusion patterns.

List of additional arguments to append to the jarsigner command line. Each argument should be specified as a separate element. For example, to specify the name of the signed jar, two elements are needed:

• Alternative using the command line: -Djarsigner.arguments="-signedjar,my-project_signed.jar"
• Alternative using the Maven POM configuration:

<configuration>
  <arguments>
    <argument>-signedjar</argument>
    <argument>my-project_signed.jar</argument>
  </arguments>
</configuration>

Location of the extra certificate chain file. See options.

A set of artifact classifiers describing the project attachments that should not be processed. This parameter is only relevant if processAttachedArtifacts is true. If empty, no attachments are excluded.

The Ant-like exclusion patterns used to exclude JAR files from processing. The patterns must be relative to the directory given by the parameter archiveDirectory.

A set of artifact classifiers describing the project attachments that should be processed. This parameter is only relevant if processAttachedArtifacts is true. If empty, all attachments are included.

The Ant-like inclusion patterns used to select JAR files to process. The patterns must be relative to the directory given by the parameter archiveDirectory. By default, the pattern **/*.?ar is used.

See options.

See options.

The maximum memory available to the JAR signer, e.g. 256M. See -Xmx for more details.

Maximum delay, in seconds, to wait after a failed attempt before re-trying. The delay after a failed attempt follows an exponential backoff strategy, with increasing delay times.

How many times to try to sign a jar (assuming each previous attempt is a failure). This option may be desirable if any network operations are used during signing, for example using a Time Stamp Authority or network based PKCS11 HSM solution for storing code signing keys. The default value of 1 indicates that no retries should be made.

Controls processing of project attachments. If enabled, attached artifacts that are no JAR/ZIP files will be automatically excluded from processing.

Controls processing of the main artifact produced by the project.

Must be set to true if the password must be given via a protected authentication path such as a dedicated PIN reader.

See options.

See options.

See options.

Indicates whether existing signatures should be removed from the processed JAR files prior to signing them. If enabled, the resulting JAR will appear as being signed only once.

See options.

Set to true to disable the plugin.

See options.

See options.

Maximum number of parallel threads to use when signing jar files. Increases performance when signing multiple jar files, especially when network operations are used during signing, for example when using a Time Stamp Authority or network based PKCS11 HSM solution for storing code signing keys. Note: the logging from the signing process will be interleaved, and harder to read, when using many threads.

URL(s) to Time Stamping Authority (TSA) server(s) to use to timestamp the signing. See options. Separate multiple TSA URLs with comma (without space) or a nested XML tag.

<configuration>
  <tsa>http://timestamp.digicert.com,http://timestamp.globalsign.com/tsa/r6advanced1</tsa>
</configuration>

<configuration>
  <tsa>
    <url>http://timestamp.digicert.com</url>
    <url>http://timestamp.globalsign.com/tsa/r6advanced1</url>
  </tsa>
</configuration>

Usage of multiple TSA servers only makes sense when maxTries is more than 1. A different TSA server will only be used at retries.

Changed to a list since 3.1.0. Single XML element (without comma) is still supported.

Alias(es) for certificate(s) in the active keystore used to find a TSA URL. From the certificate the X509v3 extension "Subject Information Access" field is examined to find the TSA server URL. See options. Separate multiple aliases with comma (without space) or a nested XML tag.

<configuration>
  <tsacert>alias1,alias2</tsacert>
</configuration>

<configuration>
  <tsacert>
    <alias>alias1</alias>
    <alias>alias2</alias>
  </tsacert>
</configuration>

Should not be used at the same time as the tsa parameter (because jarsigner will typically ignore tsacert, if tsa is set).

Usage of multiple aliases only makes sense when maxTries is more than 1. A different TSA server will only be used at retries.

Changed to a list since 3.1.0. Single XML element (without comma) is still supported.

The message digest algorithm to use in the messageImprint that the TSA server will timestamp. A default value (for example SHA-384) will be selected by jarsigner if this parameter is not set. Only available in Java 11 and later. See options.

OID(s) to send to the TSA server to identify the policy ID the server should use. If not specified TSA server will choose a default policy ID. Each TSA server vendor will typically define their own policy OIDs. See options. Separate multiple OIDs with comma (without space) or a nested XML tag.

<configuration>
  <tsapolicyid>1.3.6.1.4.1.4146.2.3.1.2,2.16.840.1.114412.7.1</tsapolicyid>
</configuration>

<configuration>
  <tsapolicyid>
    <oid>1.3.6.1.4.1.4146.2.3.1.2</oid>
    <oid>2.16.840.1.114412.7.1</oid>
  </tsapolicyid>
</configuration>

If used, the number of OIDs should be the same as the number of elements in tsa or tsacert. The first OID will be used for the first TSA server, the second OID for the second TSA server and so on.

See options.

Location of the working directory.