commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin van den Bemt <>
Subject Re: [all] jar signing with jarsigner
Date Sun, 12 Mar 2006 01:36:03 GMT

Paul Libbrecht wrote:
> To me this just means that the signature is, for JNLP deployers, a job 
> of the deployer, or the end-developer and that a signature of Apache 
> Foundation would not help.
> Correct with that ?

 From my point of view you are correct, though my opinion is not necessarily the opinion of

> Can you tell a bit more ?
> E.g. is there a comparison between the fields of the JNLP and the fields 
> of the certificate?

I don't know of the internals of webstart on how it checks the certs in the jars
Assume you have one jnlp file. The webstart client assumes that ALL jars are signed with the
cerficate, else it will stop with an error. This it to prevent users having to accept different

certifacates. A way to use eg apache signed jars, is to add an "extension" jnlp file in the
jnlp file.
There is one rule though : The extensions may not contain code from the same packages as contained

in the main (I don't know the exact rules for this, but that is probably in the jnlp spec).

In short : it gives the ASF extra burden to sign the jars (and release every ones in a while,
those certs actually expire at some point in time) and I don't see the real benefit users
and the 
ASF is getting out of that. If people want to sign their application, just let them also sign
the other stuff along with it.

Hope this helps :)


> thanks
> paul
> Martin van den Bemt wrote:
>> Yep I used it on a regular base, although it's been a year or so, 
>> since I last did this..
>> I just took the short path : (re) sign all the jars that go into a 
>> webstarted application.
>> All signatures in a/each jnlp file should be the same. So eg if all 
>> external dependencies are signed by the creator, you need to create a 
>> seperate jnlp (include like) file per unique cert, which can kind of 
>> suck from a release manager perspective.
>> So my preferred way is to just (re) sign everything with the same cert..
>> Mvgr,
>> Martin
>> Paul Libbrecht wrote:
>>> Paul Libbrecht wrote:
>>>> I suppose that, with Java Web Start, the jar-signing mechanism may 
>>>> request at least one authorization for each signing key...
>>> Has anyone tested a java-web-start application where jars are from 
>>> different originators?
>>> If, indeed as I fear, there are several requests for trust presented 
>>> to the user, I think ASF jar-signing would help nothing for JNLP 
>>> deployments...
>>> paul
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message