incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marshall Schor <>
Subject Signing Java Jars, versus Apache Signing of distributed artifacts
Date Mon, 20 Aug 2007 15:54:54 GMT
I'm no expert in signing, but am looking into alternatives.  This is 
what I've found, so far.

Apache projects sign their distributable artifacts; see

For artifacts which are Jars, there is another standard for signing 
which is supported by Java itself, in that the signed Jar can be 
"verified" when loaded.  This kind of signing
requires, besides the "private key", a "certificate
authority" which  indicates who owns the key.  See

Apache signing, to my knowledge, doesn't require use of a certificate 

In looking at several projects placing Jars in Maven repositories, they 
appear to be signing
Jars using the Apache signing, not the Java Jar signing mechanism.  
Maven (I believe)
supports this.

Eclipse, as of release 3.3 (just out), has moved to a posture of signing 
all of its Jars using the Java mechanisms, see

There are some issues to signing Jars with Java's approach - in terms of 
performance impacts.  These are documented here:

Eclipse avoids these performance impacts by not using the popular Java 
class loaders
built on the URLClassLoader.

I'd be interested to learn if others have gone down the Java JAR signing 
path, and if so,
  - is it considered an OK alternative to Apache signing,
  - how did you get a certificate authority to verify ownership of your 
signing key
  - how did you avoid performance issues

If not - does anyone know if the Eclipse update site mechanism supports 
the Apache-style signing mechanism, or can be made to support this?  
(The Eclipse update site mechanism checks if the artifacts have been 
signed, and if so, verifies them, prior to installing them.  But I 
believe it only works with Java JAR signed objects - but I could be 

Thanks for any guidance / experiences.

-Marshall Schor (Apache UIMA project)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message