commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Libbrecht <>
Subject Re: [all] jar signing with jarsigner
Date Fri, 03 Mar 2006 08:56:09 GMT
As far as I could see such a thing... jar signing would need to happen 
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?

I suppose that, with Java Web Start, the jar-signing mechanism may 
request at least one authorization for each signing key...


Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
> --
> Sandy McArthur
> "He who dares not offend cannot be honest."
> - Thomas Paine
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message