Mailing-List: contact commons-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Jakarta Commons Developers List" <commons-dev@jakarta.apache.org>
Received-SPF: pass (asf.osuosl.org: local policy)
From: "James Carman" <james@carmanconsulting.com>
To: "'Jakarta Commons Developers List'" <commons-dev@jakarta.apache.org>,
        <paul@activemath.org>
Subject: RE: [all] jar signing with jarsigner
Date: Fri, 3 Mar 2006 08:16:57 -0500
Message-ID: <003201c63ec4$bfde0af0$6401a8c0@CARMANI9300>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <440804A9.1080905@activemath.org>
thread-index: AcY+oGSX7QTDmvY7TpKQptlU3dW/hgAI/nVw

I would say that having the infrastructure team, or some other team, do the
signing might be a good idea.  Maybe there could be a mechanism for us to
login through some web portal and request that certain files be signed and
"published" rather than doing it ourselves.  Having a jar signed by The
Apache Software Foundation (and publishing the ASF certificate) would
definitely make it easier for users to make up security policies which
allows them to "trust" the code that comes from us (like giving HiveMind the
ability to create classes on the fly using Javassist in application
servers).  

-----Original Message-----
From: Paul Libbrecht [mailto:paul@activemath.org] 
Sent: Friday, March 03, 2006 3:56 AM
To: Jakarta Commons Developers List
Subject: Re: [all] jar signing with jarsigner

As far as I could see such a thing... jar signing would need to happen 
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?

I suppose that, with Java Web Start, the jar-signing mechanism may 
request at least one authorization for each signing key...

paul

Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org