How to sign JAR file during release promotion?

There is a way to sign specific Jar files. It is based on the automatic jar signing feature


To do this, you should create an Artifactory Promotion User Plugin (Groovy based), where you can select the published or a few independent jar files from a previous build based on parameters and implement any policies you wish.


You will want to have created a new version of the build info with the new checksums obtained after signing the (acquiring them from a configured virtual repository) and then publish that build info. Since the build info is immutable and you will be able to update any checksums in already deployed build info. Essentially the way the plugin should function is similar to the promotion plugin you will create where the .pom files are modified and reset in the build info.


Please note: you may write and test User Plugins using the Artifactory User Plugins Devenv, a minimized development environment project.