commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: [compress] Pack200
Date Mon, 05 Sep 2011 11:19:50 GMT
On 2011-09-05, Emmanuel Bourg wrote:

> That looks interesting. Does it provide a repack mode suitable for
> signing compressed jars?

I assume you mean

,----
| Note that packing and unpacking a JAR will in general alter the bytewise
| contents of classfiles in the JAR. This means that packing and unpacking
| will in general invalidate any digital signatures which rely on bytewise
| images of JAR elements. In order both to sign and to pack a JAR, you
| must first pack and unpack the JAR to "normalize" it, then compute
| signatures on the unpacked JAR elements, and finally repack the signed
| JAR. Both packing steps should use precisely the same options, and the
| segment limit may also need to be set to "-1", to prevent accidental
| variation of segment boundaries as class file sizes change slightly. 
`----

as in
<http://download.oracle.com/javase/1.5.0/docs/api/java/util/jar/Pack200.Packer.html>

I think the "normalization" step could be part of a util class inside
the package.  Some utility method that takes a JAR, packs it and unpacks
it again to a new jar that would then need to get signed.  Signing
itself seems outside of compress' scope to me.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message