通过Gradle签名Eclipse插件

When we distribute Eclipse plugin, it is better to sign your .jar files by jarsigner bundled with JDK. By this process user can install your plugin without warning like this.
In Eclipse wiki we have Jar Signing page, but it explains no detailed method to sign. Here let's see how Gradle can sign your .jar files.

To sign by jarsigner, you need Java Keystore file that stores keychain. We can use keytool to generate self-signed signature, but here we'll use Let's Encrypt to generate non self-signed signature.

First, follow interaction of Let's Encrypt, then you can generate privkey.pem and fullchain.pem. Second, use openssl command to generate .p12 file that is necessary to generate Java Keystore. Here is example:

$ openssl pkcs12 -export \
  -in fullchain.pem -inkey privkey.pem \
  -out your.p12 \
  -name eclipse-plugin

第三，通过生成.jks文件关键工具命令：

$ keytool -importkeystore \
  -srckeystore your.p12 -srcstorepass $SRC_PASS -srcstoretype PKCS12 \
  -destkeystore your.jks -deststorepass $DEST_PASS 

We use this .jks file to sign, so remember your $DEST_PASS. You also need to keep this .jks file secret. If you're using Travis CI, encrypt-file command is your friend.

OK now we have all necessary things, let's config our build.gradle file.
What you need is a function to sign both plugins jar file and feature jar files. Groovy itself doesn't provide feature to sign, so use Ant's SignJar task instead like below:

// sign all .jar file under specified dir
ext.signJar = { File dir ->
  def keystorepass = project.hasProperty('DEST_PASS') ? keystorepass : '';
  if (keystorepass.isEmpty()) {
    print 'to sign eclipse plugins, set "DEST_PASS" project property'
    return
  }

  dir.traverse(type: FILES, nameFilter: ~/.*\.jar$/) {
    def relativePath = rootDir.toPath().relativize( it.toPath() )
    println "signing ${relativePath}"
    ant.signjar(
        destDir: it.parentFile,
        jar: it,
        alias: 'eclipse-plugin',
        keystore: "path/to/your.jks",
        storepass: keystorepass,
        tsaurl: 'http://timestamp.digicert.com',
        verbose: true
    )
  }
}

做得好！ 您可以在jar任务和artifacts.xml文件生成（因此）artifacts.xml包含.jar文件的md5哈希）。

Here is a PR that introduces jarsigner to SpotBugs build, you may check it as working solution. It uses Gradle 5.0 RC3, but it should work with Gradle 4 too.

from: https://dev.to//kengotoda/sign-eclipse-plugin-by-gradle-4md8