How to specify -keep option

Hi, I’m new to Proguard. I’m using it with the Maven plugin, although I’m getting errors that have nothing to do with the plugin.
Not sure what options I need to specify. I only have -ignorewarnings, because I’m getting lot of duplicate classes reported. But I’m also getting lots of messages like these

It tells me to use the -keep option on elements with -printseeds , which I don’t understand at all. And then it also seens there were 3 access to class members by means of reflection, but I’m not sure how to tell what they are.

Dear @Peter_Kronenberg ,

First of all; welcome to our community and thanks for reaching out to us! Please find the answers to your questions below:

The option you have specified so far is a valid option when you want to suppress certain warnings. However, in general, a ProGuard configuration file will contain more than just this option. It is made for you to configure what parts of the code you do or do not want to be affected by ProGuard.
In general, ProGuard will (by default) apply name obfuscation, shrinking and optimization to your code. To make sure that these techniques do not break your code in any way, it might be necessary to keep certain class(members). This can be achieved by adding -keep rules to your ProGuard configuration file.

The error visible in the screenshot refers to the following:
Error: You have to specify -keep options

You either forgot to specify -keep options, or you mistyped the class names. ProGuard has to know exactly what you want to keep: an application, an applet, a servlet, a midlet,…, or any combination of these. Without the proper seed specifications, ProGuard would shrink, optimize, or obfuscate all class files away.

-printseeds specifies to exhaustively list classes and class members matched by the various -keep options. The list is printed to the standard output or to the given file. The list can be useful to verify if the intended class members are really found, especially if you’re using wildcards. For example, you may want to list all the applications or all the applets that you are keeping.

In general, I would like to point you to the troubleshooting section in the ProGuard manual where you can read more about the notes, errors and warnings you might encounter at build time:

https://www.guardsquare.com/manual/troubleshooting/troubleshooting

To know what class members were accessed through reflection, you can use the -addconfigurationdebugging option in your configuration file. When you then boot the application (on which ProGuard is applied), you wil see some information showing up in the logcat which will help you to come up with the right keep rules.

Please let me know if you have any additional questions.

Kind regards,

Ewout

Hi, I’m sorry, but I’m still not following. I looked at the troubleshooting link, but it did not contain the error I’m getting: Maybe this is library method '...'
I didn’t ‘forgot’ the -keep option. More like I didn’t have it at all because I didn’t know I needed it. I thought things would work mostly out of the box with the default options. I tried the -addconfigurationdebugging option, but that didn’t seem to do anything. The message is telling me that there are 3 accesses to class members by means of reflection. I t would have been nice to tell me what the 3 classes are (Proguard doesn’t seem to have a problem list hundreds of other classes which have various problems :-))

Is it required that I explicitly list the classes that I want to obfuscate? As I mentioned, I’m using the maven plugin, so to run it, I just do my maven build and the plugin calls Proguard.

You say

This is what I’m looking I’m looking for. I was hoping that the default would give me a working baseline that I could then tune from there.

Just to ensure that I’m running in a supported configuration, I downloaded the stand-alone version and ran that, instead of through Maven. I’m only specifying -injars,-outjars and -ignorewarnings. Got similar errors.

I think I mentioned this in another issue, but this error class [BOOT-INF/classes/com/torchai/service/textextractor/service/audio/AudioTranscriber.class] unexpectedly contains class [com.torchai.service.textextractor.service.audio.AudioTranscriber] makes no sense. Proguard should be ignoring the Boot-INF/classes part of the path name and only look at the package name.

That’s one of the reasons had I to turn on -ignorewarnings

I should also mention that I’m only interested in obfuscating my code. Not all the code of all the 3rd party dependencies, such as SpringBoot. Do I just have to specify my package name somewhere?

I found this page, https://www.guardsquare.com/manual/configuration/examples, but I’m not much closer. Using the below config. But I still don’t understand the errors that I’m getting. It’s also telling me that input classes are inconsistent and I might need to recompile, but this is newly compiled code, so I don’t understand what it’s complaining about.

I’m also getting occurrences of Warning: can't find superclass or interface for superclasses that are part of my code but in a dependent jar. The dependencies are in the jar itself in the BOOT-INF directory. How do I point to that jar within the jar?

# https://www.guardsquare.com/manual/configuration/examples

-ignorewarnings
-injars       target/nexus-text-extractor-service-1.0.4-SNAPSHOT.jar
-outjars      nexus-text-extractor-service-1.0.4-SNAPSHOT.obfuscate.jar
-libraryjars  <java.home>/lib/rt.jar
-printmapping myapplication.map

#-optimizationpasses 3
#-overloadaggressively
#-repackageclasses ''
#-allowaccessmodification

-keep public class com.torchai.service.textextractor.NexusTextExtractorServiceApplication {
    public static void main(java.lang.String[]);
}

``

@ewoutd I’m still having problems figuring this stuff out. Can someone help?

Hi @Peter_Kronenberg ,

I noticed we were able to assist with several other questions, however, given our PG engineers are understaffed through next week and have commitments to supporting our paid solutions, we likely won’t be available for immediate assistance in the near future.

However, if you continue to encounter issues through next week, please consolidate the outstanding questions into one thread and let us know then. Our support team should be more available in the second week of November.

Apologies for any inconvenience this may have caused,
Jesse & the Guardsquare team

I am still having a lot of issues getting this to work. Have read everything online, but some of the options are not quite clear. And when I fix one issue, I get other messages :-). So I will keep working at it and will try to post another question

Dear @Peter_Kronenberg ,

Let me answer the questions one by one.

The “Maybe this library method…” notes are connected to another line which was printed out previously. Please find an example below:

[proguard] Note: org.apache.commons.lang3.ObjectUtils accesses a method 'clone()' dynamically
[proguard]       Maybe this is program method 'com.ibm.icu.impl.CharacterIteratorWrapper { java.lang.Object clone(); }'

Since a method is dynamically accessed, it might be needed to keep certain methods and ProGuard is suggesting what method this can be based on what it knows. If a method is accessed through reflection while it is name obfuscated, it will result in crashes at runtime.

I thought things would work mostly out of the box with the default options. This is very unlikely, keep rules will most likely be needed.

  • I tried the -addconfigurationdebugging option, but that didn’t seem to do anything.* Can you specify the steps taken to test this so that we can further assist you?

The message is telling me that there are 3 accesses to class members by means of reflection. I t would have been nice to tell me what the 3 classes are (Proguard doesn’t seem to have a problem list hundreds of other classes which have various problems :-))

This is not always possible because ProGuard does not have all the information needed to specify this.

Is it required that I explicitly list the classes that I want to obfuscate? As I mentioned, I’m using the maven plugin, so to run it, I just do my maven build and the plugin calls Proguard.

It is necessary to mention the parts of the code that you do not want to be obfuscated / shrunk or optimized by ProGuard because it would cause issues at runtime.

I should also mention that I’m only interested in obfuscating my code. Not all the code of all the 3rd party dependencies, such as SpringBoot. Do I just have to specify my package name somewhere?

You can use keep rules as follows, to allow optimization and shrinking while not applying name obfuscation onto 3rd party dependencies like SpringBoot:

-keep, allowoptimization, allowshrinking !com.your.package.** {*;}

The dependencies are in the jar itself in the BOOT-INF directory. How do I point to that jar within the jar

This depends on the specific use case, I would highly suggest you to take a look at the Spring Boot example: proguard/examples/spring-boot at master · Guardsquare/proguard · GitHub. This will hopefully help you to understand how to come up with the right set up for a Spring Boot application. You will find the following information in the Readme file for example:

Spring Boot applications contain a BOOT-INF folder which contains the application class files and library jars. We must first extract the program classes, then apply ProGuard to them and finally repackage the application.

Kind regards,

Ewout

Thanks, I was able to finally get everything working by finding some additional resources and working examples on the web, specifically SpringBoot examples