Mailing-List: contact commons-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Jakarta Commons Developers List" <commons-dev@jakarta.apache.org>
Received-SPF: pass (asf.osuosl.org: local policy)
Message-ID: <44137B03.7060208@mvdb.net>
Date: Sun, 12 Mar 2006 02:36:03 +0100
From: Martin van den Bemt <mllist@mvdb.net>
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
MIME-Version: 1.0
To: Jakarta Commons Developers List <commons-dev@jakarta.apache.org>
Subject: Re: [all] jar signing with jarsigner
References: <6bde122b0603021728x281f269co4f08ecf6d10ff74f@mail.gmail.com>
 <440804A9.1080905@activemath.org> <44084564.3030309@activemath.org>
 <4412E39F.60908@mvdb.net> <441341F2.3090900@activemath.org>
In-Reply-To: <441341F2.3090900@activemath.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


Paul Libbrecht wrote:
> To me this just means that the signature is, for JNLP deployers, a job 
> of the deployer, or the end-developer and that a signature of Apache 
> Foundation would not help.
> Correct with that ?

 From my point of view you are correct, though my opinion is not necessarily the opinion of everyone 
else.

> Can you tell a bit more ?
> E.g. is there a comparison between the fields of the JNLP and the fields 
> of the certificate?

I don't know of the internals of webstart on how it checks the certs in the jars
Assume you have one jnlp file. The webstart client assumes that ALL jars are signed with the same 
cerficate, else it will stop with an error. This it to prevent users having to accept different 
certifacates. A way to use eg apache signed jars, is to add an "extension" jnlp file in the main 
jnlp file.
There is one rule though : The extensions may not contain code from the same packages as contained 
in the main (I don't know the exact rules for this, but that is probably in the jnlp spec).

In short : it gives the ASF extra burden to sign the jars (and release every ones in a while, since 
those certs actually expire at some point in time) and I don't see the real benefit users and the 
ASF is getting out of that. If people want to sign their application, just let them also sign all 
the other stuff along with it.

Hope this helps :)

Mvgr,
Martin

> 
> thanks
> 
> paul
> 
> Martin van den Bemt wrote:
> 
>> Yep I used it on a regular base, although it's been a year or so, 
>> since I last did this..
>> I just took the short path : (re) sign all the jars that go into a 
>> webstarted application.
>> All signatures in a/each jnlp file should be the same. So eg if all 
>> external dependencies are signed by the creator, you need to create a 
>> seperate jnlp (include like) file per unique cert, which can kind of 
>> suck from a release manager perspective.
>> So my preferred way is to just (re) sign everything with the same cert..
>>
>>
>> Mvgr,
>> Martin
>>
>> Paul Libbrecht wrote:
>>
>>> Paul Libbrecht wrote:
>>>
>>>> I suppose that, with Java Web Start, the jar-signing mechanism may 
>>>> request at least one authorization for each signing key...
>>>
>>>
>>>
>>> Has anyone tested a java-web-start application where jars are from 
>>> different originators?
>>> If, indeed as I fear, there are several requests for trust presented 
>>> to the user, I think ASF jar-signing would help nothing for JNLP 
>>> deployments...
>>>
>>> paul
>>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org