ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject Re: cvs commit: ant/src/testcases/org/apache/tools/ant/taskdefs
Date Wed, 30 Mar 2005 11:41:21 GMT
Kev Jackson wrote:
>> Here are my current plans
>> -pull the declaration of <verifyjar>, tests, etc.
>> -I'd leave the code over in optional, always excluded, with a "here is 
>> why this is broken" comment. Its aim is to warn off others.
>> -Not attempt to use jar signing as a way of verifying JAR downloads in 
>> <libraries>; this was my plan.
> Could you load the classes in a secure loader and then try various 
> methods - pulled out through reflection?  Presumably you'd get an 
> exception if you tried to execute a method in a secure environment when 
> the class wasn't signed? 

unless there was some other reason for it failing; side effects, etc, etc.

> Failing that is there anything in the 
> bytecode, just read the correct segment of the class to discover if it's 
> signed.  How else would the VM know if the jar was signed without 
> checking the classes?

yes, you can reverify by hand. I just didnt want to go to the effort of 
writing the stuff. Oh, and the classes to help you are all com.sun stuff 
that moves around; not part of the public Java API, so cant be used.
> Jar downloads could be verified by checksum though.  Although the MD5 
> and SHA1 have been shown to be susceptible to brute-force attacks.

md5 is doomed; it is only a matter of (short) time. SHA1 is still secure 
against a motivated government. Which is good, as that is what jar 
signing uses.

We'll have to use SHA1 with <libraries>. Currently the maven repository 
has .md5 files, but since the md5 files arent signed in anyway, there is 
no way to detect the subversion of both the md5 and the binary itself.

what you need is
  -remote fetch of checksums from a trusted HTTPS site
  -proper signature files, not just checksum files, with the signatory 

this leads to another problem, which is we'll need to have the public 
cert of apache included in a certificates file in Ant, and make sure 
that the ant distros (both standalone and embedded) dont get subverted.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message