ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From T E Schmitz <mail...@numerixtechnology.de>
Subject Re: [signjar] prevent double signing
Date Fri, 05 Nov 2004 12:23:44 GMT
Hallo Stefan,

Stefan Bodewig wrote:
> On Thu, 04 Nov 2004, T. E. Schmitz <mailreg@numerixtechnology.de>
> wrote:
> 
> information can and should be gathered from
> <http://java.sun.com/j2se/1.3/docs/guide/jar/jar.html> and in
> particular
> <http://java.sun.com/j2se/1.3/docs/guide/jar/jar.html#Signed%20JAR%20File>

Thanks for the links. I couldn't find any information though as to that
and why jarsigner truncates the alias: jarsigner takes the alias name,
truncates it to 8 characters and uses this as a basename for the SF file.
This is where signjar's lazy option falls down. I have just tested this:
If lazy=true signjar will not re-sign the jar with the same signature. 
It will, however, sign a signed jar if the basename of the SF file is 
different from the given alias. (It would be great if this could be 
stated more explicitly in the Ant manual.)

The following example uses an alias longer than 8 chars. The comparison 
in isSigned() will return false (and therefore re-sign the jar) because 
the existing SF file is called EMORDES-.SF.

<signjar keystore="${java.keystore}" storepass="${keystore.passwd}" 
alias="emordes-stock" lazy="true" jar="util.jar" />
		
While keystore permits alias names longer than 8, jarsigner truncates 
the SF file basename to 8. In other words, the lazy option cannot work 
with aliases longer than 8 chars.

(Not to mention the fact that jarsigner couldn't sign a jar with two 
signatures the alias name of which is not unique on the fist 8 chars?!)

=========================

Back to my original question: can I avoid that a jar might be signed 
with more than one signature? *Webstart won't allow jar with more than 
one signature.* (I realize now that my subject line was a bit ambiguous.)
The answer is: even with short alias names, the lazy option wouldn't be 
able to do that because it just avoids re-signing with the same signature.

I presume this is too specialist a requirement to incorporate this logic 
in the signjar task because then we would need two different isSigned() 
methods. OTOH, other people using WebStart will encounter the same issue.

So, I either write my first Ant task or I use the dirty option of 
extracting all files and testing for the existance of an SF file :-(

> As for the case sensitivity question in your other mail.  First make
> sure that you are not using WinZIP to verify the case of file names.
> <http://ant.apache.org/faq.html#winzip-lies> applies to any archives,
> not only those created by Ant.

I realized this, too, last night and I must say I was totally flummoxed. 
Serves me right for using Winblows. In German I'd call this a case of 
"Volksverdummung". Unbeliavable what "features" some people come up with.

-- 


Regards/Gruß,

Tarlika Elisabeth Schmitz

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message