ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 27596] no way to verify JAR files as validly signed in Ant. (was: signjar should support the -verify and -certs options)
Date Tue, 19 May 2009 09:33:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=27596





--- Comment #5 from Steve Loughran <stevel@apache.org>  2009-05-19 02:33:32 PST ---
Emmanuel, read the comment above. Jarsigner -verify does not verify that the
JAR is signed by anyone you trust. That it does not look at your list of valid
certifications and say "are the artifacts in the JAR signed by a trusted
entity". All it does is check that there is a signature.

As I said before "verify is so broken, the presence of a <verifyjar> task would
mislead people into thinking it worked."

That is why <verifyjar> isn't written up. People might use it and think that it
is checking that JARs are valid. It isnt -and neither is jarsigner.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message