commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Libbrecht <p...@activemath.org>
Subject Re: [all] jar signing with jarsigner
Date Fri, 03 Mar 2006 08:56:09 GMT
As far as I could see such a thing... jar signing would need to happen 
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?

I suppose that, with Java Web Start, the jar-signing mechanism may 
request at least one authorization for each signing key...

paul

Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message