[1.7.10] How to sign the jar so it can be verified using certificateFingerprint

Hello everyone,

after I found out some sites have started redistrubtiing my mod with out permission and heard of cases of them inserting malicious code I decided I want to start signing my jars. I already managed to sign them and have automated this process with gradle. I also verify the signatur myself but that of course is insecure since this code could be removed aswell.

Then I found the "certificateFingerprint" field in the @Mod annotation and wondered how that works. I tested it out and according to the log my jar is not signed even though it is (checked it by hand).

The log said this:

[21:14:28] [Client thread/ERROR] [brainStoneMod]: The mod BrainStoneMod is expecting signature da39a3ee5e6b4b0d3255bfef95601890afd80709 for source BrainStoneMod-v2.53.229 BETA DEV.jar, however there is no signature matching that description

So how exactly is this supposed to work?

I case anyone is wondering I use the following gradle code to sign them. The result is the same as using the jarsigner tool.

def signJar(archivePath) {
  if (project.hasProperty('keyStoreAlias') && project.hasProperty('keyStore') && project.hasProperty('keyStorePass')) {
    ant.signjar(
      jar:                  archivePath,
      alias:                project.keyStoreAlias,
      keystore:             project.keyStore,
      storepass:            project.keyStorePass,
      preservelastmodified: true
    )
  } else {
    println 'WARNING!!!\tCannot sign jar !'
  }
}

and I modified the jar and reobf tasks too:

jar {
    doLast {
        if (!gradle.taskGraph.hasTask(reobf)) {
            signJar(jar.archivePath)
        }
    }
}

reobf {
    doLast {
        signJar(jar.archivePath)
    }
}

The signing is already working.

Also the entire code can be found on GitHub: https://github.com/BrainStone/brainstone