commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sandy McArthur" <>
Subject Re: [all] jar signing with jarsigner
Date Fri, 03 Mar 2006 14:35:09 GMT
On 3/3/06, Paul Libbrecht <> wrote:
> As far as I could see such a thing... jar signing would need to happen
> on Apache server... using some Apache private key... right ?
> Maybe this is a first issue ?
> How would you go to ensure that such a private key is not hacked or copied ?
> Let infrastructure team do the signing ?

There is the problem of getting the cert (or root cert) into the JVM's
keystore. Unless Apache was able to persuade a well known SSL cert
issuer to donate code signing certs (which tend to be more expensive
than common ssl certs), Apache would probably just have to create it's
own root cert which would be used to issue certs to Apache members
needing to sign releases. Then, as I see it, trusting these issued
certs would be no different than trusting the PGP keys release
managers are expected to keep protected. For end users the root Apache
cert would need to be added to the JVM's keystore to be able to verify
signed jars.

> I suppose that, with Java Web Start, the jar-signing mechanism may
> request at least one authorization for each signing key...

I don't know how that would work.

Sandy McArthur

"He who dares not offend cannot be honest."
- Thomas Paine

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message