commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Libbrecht <>
Subject Re: [all] jar signing with jarsigner
Date Sat, 11 Mar 2006 21:32:34 GMT
To me this just means that the signature is, for JNLP deployers, a job 
of the deployer, or the end-developer and that a signature of Apache 
Foundation would not help.
Correct with that ?
Can you tell a bit more ?
E.g. is there a comparison between the fields of the JNLP and the fields 
of the certificate?



Martin van den Bemt wrote:
> Yep I used it on a regular base, although it's been a year or so, 
> since I last did this..
> I just took the short path : (re) sign all the jars that go into a 
> webstarted application.
> All signatures in a/each jnlp file should be the same. So eg if all 
> external dependencies are signed by the creator, you need to create a 
> seperate jnlp (include like) file per unique cert, which can kind of 
> suck from a release manager perspective.
> So my preferred way is to just (re) sign everything with the same cert..
> Mvgr,
> Martin
> Paul Libbrecht wrote:
>> Paul Libbrecht wrote:
>>> I suppose that, with Java Web Start, the jar-signing mechanism may 
>>> request at least one authorization for each signing key...
>> Has anyone tested a java-web-start application where jars are from 
>> different originators?
>> If, indeed as I fear, there are several requests for trust presented 
>> to the user, I think ASF jar-signing would help nothing for JNLP 
>> deployments...
>> paul

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message