ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Drew Sudell <>
Subject Signtool vs. JavaSign
Date Thu, 23 May 2002 16:34:53 GMT
Robert Priest writes:
 > In our build process we sign jars with netscape's signtool, but I would like
 > to switch that to use javasign and ant's <SignJar> task.
 > Is that pretty much an even switch or do I need to be concerned about
 > certain thing?
 > Does anyone know of a comparison document between the two?

Netscape's signtool is essentially a rewrite/extension of Sun's jar
signing tool.  It does a few extra, Netscape specific, things.  The
one that comes to mind is signing javascript code in html files.
That's important if you want to do something privileged on the client
in a bit of javascript.

If you are just signing the class files in the jar, for use by the
classloader or just so you can verify them later as an integrity
check, I don't see any advantage to signtool off the top of my head.

Don't know of a comparison document.  But I could try to dig up the
Docs on each from Netscape and Sun if it's important to you.  The Sun
stuff is pretty well doced in the JDK and JCE docs.  The Netscape
stuff was on their developer site, but if I recall took a bit of
digging to find.

 > Using <SignJar> is the keystore attribute the same as the '-d "certificate
 > directory"'  argument in signtool?
 > if not, how do you specify a "certificate directory"

They are similar concepts, but not the same.  The certificates should
be compatible if you export/import them.  [No, I haven't done that.]
But the files themselves are not.  Netscape uses a keystore that is a
couple of DBM files that sit in the certificate directory.  The JSA
keystore concept is a single file that holds both private keys and
certificates.  The format is unspecified, only the interface from Java 
is speced.  But only the keystore provider needs to know the format.
 > As of now, I am calling signtool using an <exec> task.

That's about how I used it when I had to sign some javascript code
that deployed into a webapp.  Not sure a task would add much, at
least in my case it would not have.


        Drew Sudell

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message