From 787689ba900f6bf1f24e071c204fb6b6f2327b8e Mon Sep 17 00:00:00 2001
From: Zsombor Gegesy <gzsombor@gmail.com>
Date: Thu, 24 Feb 2022 19:53:32 +0100
Subject: [PATCH] MSHADE-147: Add flag to disable jar signing verification

---
 .../maven/plugins/shade/DefaultShader.java    | 16 ++++++-------
 .../maven/plugins/shade/ShadeRequest.java     | 13 ++++++++++
 .../maven/plugins/shade/mojo/ShadeMojo.java   | 24 +++++++++++++------
 3 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/apache/maven/plugins/shade/DefaultShader.java b/src/main/java/org/apache/maven/plugins/shade/DefaultShader.java
index 6b032ca4..9139c712 100644
--- a/src/main/java/org/apache/maven/plugins/shade/DefaultShader.java
+++ b/src/main/java/org/apache/maven/plugins/shade/DefaultShader.java
@@ -234,7 +234,7 @@ private void shadeJars( ShadeRequest shadeRequest, Set<String> resources, List<R
 
             List<Filter> jarFilters = getFilters( jar, shadeRequest.getFilters() );
 
-            try ( JarFile jarFile = newJarFile( jar ) )
+            try ( JarFile jarFile = newJarFile( jar, shadeRequest.isDisableJarFileVerification() ) )
             {
 
                 for ( Enumeration<JarEntry> j = jarFile.entries(); j.hasMoreElements(); )
@@ -242,7 +242,7 @@ private void shadeJars( ShadeRequest shadeRequest, Set<String> resources, List<R
                     JarEntry entry = j.nextElement();
 
                     String name = entry.getName();
-                    
+
                     if ( entry.isDirectory() || isFiltered( jarFilters, name ) )
                     {
                         continue;
@@ -347,7 +347,7 @@ private void goThroughAllJarEntriesForManifestTransformer( ShadeRequest shadeReq
         {
             for ( File jar : shadeRequest.getJars() )
             {
-                try ( JarFile jarFile = newJarFile( jar ) )
+                try ( JarFile jarFile = newJarFile( jar, shadeRequest.isDisableJarFileVerification() ) )
                 {
                     for ( Enumeration<JarEntry> en = jarFile.entries(); en.hasMoreElements(); )
                     {
@@ -463,12 +463,12 @@ private void logSummaryOfDuplicates( MultiValuedMap<Collection<File>, String> ov
         }
     }
 
-    private JarFile newJarFile( File jar )
+    private JarFile newJarFile( File jar, boolean disableJarFileVerification )
         throws IOException
     {
         try
         {
-            return new JarFile( jar );
+            return new JarFile( jar, !disableJarFileVerification );
         }
         catch ( ZipException zex )
         {
@@ -534,12 +534,12 @@ private void addRemappedClass( JarOutputStream jos, File jar, String name,
 
             return;
         }
-        
+
         // Keep the original class in, in case nothing was relocated by RelocatorRemapper. This avoids binary
         // differences between classes, simply because they were rewritten and only details like constant pool or
         // stack map frames are slightly different.
         byte[] originalClass = IOUtil.toByteArray( is );
-        
+
         ClassReader cr = new ClassReader( new ByteArrayInputStream( originalClass ) );
 
         // We don't pass the ClassReader here. This forces the ClassWriter to rebuild the constant pool.
@@ -691,7 +691,7 @@ private interface PackageMapper
     {
         /**
          * Map an entity name according to the mapping rules known to this package mapper
-         * 
+         *
          * @param entityName entity name to be mapped
          * @param mapPaths map "slashy" names like paths or internal Java class names, e.g. {@code com/acme/Foo}?
          * @param mapPackages  map "dotty" names like qualified Java class or package names, e.g. {@code com.acme.Foo}?
diff --git a/src/main/java/org/apache/maven/plugins/shade/ShadeRequest.java b/src/main/java/org/apache/maven/plugins/shade/ShadeRequest.java
index 7d1376a2..8647b21a 100644
--- a/src/main/java/org/apache/maven/plugins/shade/ShadeRequest.java
+++ b/src/main/java/org/apache/maven/plugins/shade/ShadeRequest.java
@@ -46,6 +46,8 @@ public class ShadeRequest
 
     private boolean shadeSourcesContent;
 
+    private boolean disableJarFileVerification;
+
     public Set<File> getJars()
     {
         return jars;
@@ -137,4 +139,15 @@ public void setShadeSourcesContent( boolean shadeSourcesContent )
     {
         this.shadeSourcesContent = shadeSourcesContent;
     }
+
+    public boolean isDisableJarFileVerification()
+    {
+        return disableJarFileVerification;
+    }
+
+    public void setDisableJarFileVerification( boolean disableJarFileVerification )
+    {
+        this.disableJarFileVerification = disableJarFileVerification;
+    }
+
 }
diff --git a/src/main/java/org/apache/maven/plugins/shade/mojo/ShadeMojo.java b/src/main/java/org/apache/maven/plugins/shade/mojo/ShadeMojo.java
index d717253f..dbbef638 100644
--- a/src/main/java/org/apache/maven/plugins/shade/mojo/ShadeMojo.java
+++ b/src/main/java/org/apache/maven/plugins/shade/mojo/ShadeMojo.java
@@ -147,7 +147,7 @@ public class ShadeMojo
      * syntax <code>groupId</code> is equivalent to <code>groupId:*:*:*</code>, <code>groupId:artifactId</code> is
      * equivalent to <code>groupId:artifactId:*:*</code> and <code>groupId:artifactId:classifier</code> is equivalent to
      * <code>groupId:artifactId:*:classifier</code>. For example:
-     * 
+     *
      * <pre>
      * &lt;artifactSet&gt;
      *   &lt;includes&gt;
@@ -164,7 +164,7 @@ public class ShadeMojo
 
     /**
      * Packages to be relocated. For example:
-     * 
+     *
      * <pre>
      * &lt;relocations&gt;
      *   &lt;relocation&gt;
@@ -179,7 +179,7 @@ public class ShadeMojo
      *   &lt;/relocation&gt;
      * &lt;/relocations&gt;
      * </pre>
-     * 
+     *
      * <em>Note:</em> Support for includes exists only since version 1.4.
      */
     @SuppressWarnings( "MismatchedReadAndWriteOfArray" )
@@ -200,7 +200,7 @@ public class ShadeMojo
      * to use an include to collect a set of files from the archive then use excludes to further reduce the set. By
      * default, all files are included and no files are excluded. If multiple filters apply to an artifact, the
      * intersection of the matched files will be included in the final JAR. For example:
-     * 
+     *
      * <pre>
      * &lt;filters&gt;
      *   &lt;filter&gt;
@@ -401,7 +401,16 @@ public class ShadeMojo
      */
     @Parameter( defaultValue = "false" )
     private boolean skip;
-    
+
+     /**
+     * When true, the JAR files of the dependencies will not be verified (only relevant in case of signed JAR files).
+     * This is to work around issues with incorrectly signed but otherwise valid dependencies (e.g. certificate
+     * expired).
+     * @since 3.3.1
+     */
+    @Parameter( defaultValue = "false" )
+    private boolean disableJarFileVerification;
+
     /**
      * @throws MojoExecutionException in case of an error.
      */
@@ -565,7 +574,7 @@ public void execute()
                         replaceFile( finalFile, testSourcesJar );
                         testSourcesJar = finalFile;
                     }
-                
+
                     renamed = true;
                 }
 
@@ -663,6 +672,7 @@ private ShadeRequest shadeRequest( String shade, Set<File> artifacts, File outpu
         shadeRequest.setFilters( filters );
         shadeRequest.setRelocators( relocators );
         shadeRequest.setResourceTransformers( toResourceTransformers( shade, resourceTransformers ) );
+        shadeRequest.setDisableJarFileVerification( disableJarFileVerification );
         return shadeRequest;
     }
 
@@ -1159,7 +1169,7 @@ private void rewriteDependencyReducedPomIfWeHaveReduction( List<Dependency> depe
                 }
 
                 File f = dependencyReducedPomLocation;
-                // MSHADE-225 
+                // MSHADE-225
                 // Works for now, maybe there's a better algorithm where no for-loop is required
                 if ( loopCounter == 0 )
                 {