incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marshall Schor <...@schor.com>
Subject Signing Java Jars, versus Apache Signing of distributed artifacts
Date Mon, 20 Aug 2007 15:54:54 GMT
I'm no expert in signing, but am looking into alternatives.  This is 
what I've found, so far.

Apache projects sign their distributable artifacts; see 
http://www.apache.org/dev/release-signing.html

For artifacts which are Jars, there is another standard for signing 
which is supported by Java itself, in that the signed Jar can be 
"verified" when loaded.  This kind of signing
requires, besides the "private key", a "certificate
authority" which  indicates who owns the key.  See 
http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html

Apache signing, to my knowledge, doesn't require use of a certificate 
authority.

In looking at several projects placing Jars in Maven repositories, they 
appear to be signing
Jars using the Apache signing, not the Java Jar signing mechanism.  
Maven (I believe)
supports this.

Eclipse, as of release 3.3 (just out), has moved to a posture of signing 
all of its Jars using the Java mechanisms, see 
http://wiki.eclipse.org/JAR_Signing

There are some issues to signing Jars with Java's approach - in terms of 
performance impacts.  These are documented here: 
http://wiki.eclipse.org/index.php/Performance_Bloopers#JAR_signing_and_verification

Eclipse avoids these performance impacts by not using the popular Java 
class loaders
built on the URLClassLoader.

I'd be interested to learn if others have gone down the Java JAR signing 
path, and if so,
  - is it considered an OK alternative to Apache signing,
  - how did you get a certificate authority to verify ownership of your 
signing key
  - how did you avoid performance issues

If not - does anyone know if the Eclipse update site mechanism supports 
the Apache-style signing mechanism, or can be made to support this?  
(The Eclipse update site mechanism checks if the artifacts have been 
signed, and if so, verifies them, prior to installing them.  But I 
believe it only works with Java JAR signed objects - but I could be 
mistaken).

Thanks for any guidance / experiences.

-Marshall Schor (Apache UIMA project)



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message