ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kev Jackson <kevin.jack...@it.fts-vn.com>
Subject Re: cvs commit: ant/src/testcases/org/apache/tools/ant/taskdefs SignJarTest.java
Date Wed, 30 Mar 2005 09:43:44 GMT
>
> Here are my current plans
> -pull the declaration of <verifyjar>, tests, etc.
> -I'd leave the code over in optional, always excluded, with a "here is 
> why this is broken" comment. Its aim is to warn off others.
> -Not attempt to use jar signing as a way of verifying JAR downloads in 
> <libraries>; this was my plan.
>
Could you load the classes in a secure loader and then try various 
methods - pulled out through reflection?  Presumably you'd get an 
exception if you tried to execute a method in a secure environment when 
the class wasn't signed?  Failing that is there anything in the 
bytecode, just read the correct segment of the class to discover if it's 
signed.  How else would the VM know if the jar was signed without 
checking the classes?

Jar downloads could be verified by checksum though.  Although the MD5 
and SHA1 have been shown to be susceptible to brute-force attacks.

Kev

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message