I've been struggling with this for a couple days now, and I believe I have a workaround, but it's a tremendously crappy one.
Our code signing certificate is in an HSM slot. So we must use PKCS11 to sign.
So far as I can tell, the maven webstart plugin (beta 4) lacks support for providerClass, providerArg and providerName. This means that PKCS11 signing can't happen that way.
Fine. There's the jarsigner plugin. That works just fine to sign the jars.
The problem is that we now must also use updateManifestEntries to add the codebase and permission entries to our webstart applet.
Well, the actual code in the webstart plugin to actually perform the manifest update is inside of
if (sign) { ... }
So it never happens.
So we have to have a bogus self-signed cert and key and use that in the sign config of the webstart plugin so that we can get the jars' manifests updated, and then throw away all that wasted work and resign the jars with the jarsigner plugin.
SURELY there has to be a better way!
To make your PKCS#11 the default and pass it an argument I think you could do:
$JAVA_HOME/lib/secuirty/java.security: