diff --git a/org.lamport.tla.toolbox.jnlp/keystore b/keystore
similarity index 100%
rename from org.lamport.tla.toolbox.jnlp/keystore
rename to keystore
diff --git a/org.lamport.tla.toolbox.jnlp/pom.xml b/org.lamport.tla.toolbox.jnlp/pom.xml
index f888d99a8ed0a15a6dda74890bcfafc82c88bfb2..7fa2501855766dbe6e5a1b7373f74616da3aef20 100644
--- a/org.lamport.tla.toolbox.jnlp/pom.xml
+++ b/org.lamport.tla.toolbox.jnlp/pom.xml
@@ -14,15 +14,6 @@
<version>1.0.0-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
- <!-- These properties define a dummy certificate store that is used unless the developer passes overwrites to maven -->
- <!-- see http://stackoverflow.com/a/3620575 for how such an overwrite would look like. -->
- <properties>
- <keystore.path>keystore</keystore.path>
- <keystore.alias>msr</keystore.alias>
- <keystore.store.password>secret</keystore.store.password>
- <keystore.key.password>secret</keystore.key.password>
- </properties>
-
<!-- Create a manual dependency towards the tlatools project. It creates
the tla2tools.jar that is signed here. Without the dependency, a concurrent
build will fail to sign when tlatools is built after this pom. -->
diff --git a/pom.xml b/pom.xml
index a2b465c2b7ae46366cc5548dccbbfe708ac338a1..7bbcbe199bf40e36756e2f41f37d9f7c7fc17868 100644
--- a/pom.xml
+++ b/pom.xml
@@ -91,6 +91,24 @@
<!-- no default here -->
<tycho.test.vm.argline>-Xmx500m -Xdebug -Xrunjdwp:transport=dt_socket,address=1044,server=y,suspend=n</tycho.test.vm.argline>
<tycho.test.vm.useUiThread>false</tycho.test.vm.useUiThread>
+
+ <!-- These properties define a dummy certificate store that is used unless the developer passes overwrites to maven -->
+ <!-- see http://stackoverflow.com/a/3620575 for how such an overwrite would look like. -->
+ <keystore.path>${project.basedir}/../keystore</keystore.path>
+ <keystore.alias>msr</keystore.alias>
+ <keystore.store.password>secret</keystore.store.password>
+ <keystore.key.password>secret</keystore.key.password>
+ <!--
+ Set to the values below if the signature should include a timestamp. You want this for a release build
+ because a timestamp makes sure the signature remains valid after the certificate expired.
+ If you activate RFC3161, make sure the machine running the build has sufficient entropy available. Otherwise
+ expect to see intermittent hangs when the build attempts to sign a jar. On Linux the haveged and rng-tools
+ can help to collect entropy.
+ <tsa.flag>-tsa</tsa.flag>
+ <tsa.server>http://timestamp.comodoca.com</tsa.server>
+ -->
+ <tsa.flag></tsa.flag>
+ <tsa.server></tsa.server>
</properties>
<build>
@@ -122,6 +140,33 @@
</archive>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jarsigner-plugin</artifactId>
+ <version>1.4</version>
+ <configuration>
+ <keystore>${keystore.path}</keystore>
+ <alias>${keystore.alias}</alias>
+ <storepass>${keystore.store.password}</storepass>
+ <keypass>${keystore.key.password}</keypass>
+ <verbose>false</verbose>
+ <arguments>
+ <!-- Embed a current timestamp in the signed content (file). With this timestamp,
+ the signature of the content remains valid *after* the signing certificate
+ expired. -->
+ <argument>${tsa.flag}</argument>
+ <argument>${tsa.server}</argument>
+ </arguments>
+ </configuration>
+ <executions>
+ <execution>
+ <id>sign</id>
+ <goals>
+ <goal>sign</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>target-platform-configuration</artifactId>