Return-Path: 
 <general-return-15538-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 45720 invoked from network); 20 Aug 2007 16:05:21 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 20 Aug 2007 16:05:21 -0000
Received: (qmail 54705 invoked by uid 500); 20 Aug 2007 16:05:16 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 54537 invoked by uid 500); 20 Aug 2007 16:05:16 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 54526 invoked by uid 99); 20 Aug 2007 16:05:16 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Aug 2007 09:05:16 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [192.18.43.132] (HELO sca-es-mail-1.sun.com) (192.18.43.132)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Aug 2007 16:05:10 +0000
Received: from fe-sfbay-09.sun.com ([192.18.43.129])
	by sca-es-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id l7KG4kLx013381
	for <general@incubator.apache.org>; Mon, 20 Aug 2007 09:04:50 -0700 (PDT)
Received: from conversion-daemon.fe-sfbay-09.sun.com by fe-sfbay-09.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 id <0JN200K01XP6SU00@fe-sfbay-09.sun.com>
 (original mail from Craig.Russell@Sun.COM) for general@incubator.apache.org;
 Mon, 20 Aug 2007 09:04:46 -0700 (PDT)
Received: from [192.168.0.12] (c-24-6-172-77.hsd1.ca.comcast.net
 [24.6.172.77])
 by fe-sfbay-09.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 with ESMTPSA id <0JN200MVJXZPSP10@fe-sfbay-09.sun.com> for
 general@incubator.apache.org; Mon, 20 Aug 2007 09:04:37 -0700 (PDT)
Date: Mon, 20 Aug 2007 09:04:46 -0700
From: Craig L Russell <Craig.Russell@Sun.COM>
Subject: Re: Signing Java Jars, versus Apache Signing of distributed artifacts
In-reply-to: <46C9B94E.5010303@schor.com>
Sender: Craig.Russell@Sun.COM
To: general@incubator.apache.org
Message-id: <141A10E1-5228-4BF8-B3EE-84C1C6B58547@SUN.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.752.3)
Content-type: multipart/signed; protocol="application/pkcs7-signature";
 boundary=Apple-Mail-22-1012772945; micalg=sha1
References: <46C9B94E.5010303@schor.com>
X-Virus-Checked: Checked by ClamAV on apache.org

--Apple-Mail-22-1012772945
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Hi Marshall,

When I looked into Java signing and found it to be too burdensome.  
There are two basic issues with it that made me think that it wasn't  
suitable for use with Apache projects:

1. The certificates are the keys to the kingdom. Whoever has the  
ability to use the certificates warrants the contents of the jar, so  
the certificates need to be kept secret. It's not practical for  
Apache projects to have secrets like this, so each individual would  
need their own certificate.

2. The runtime cost of checking the certificate every time the jar is  
used.

Just my opinion,

Craig

On Aug 20, 2007, at 8:54 AM, Marshall Schor wrote:

> I'm no expert in signing, but am looking into alternatives.  This  
> is what I've found, so far.
>
> Apache projects sign their distributable artifacts; see http:// 
> www.apache.org/dev/release-signing.html
>
> For artifacts which are Jars, there is another standard for signing  
> which is supported by Java itself, in that the signed Jar can be  
> "verified" when loaded.  This kind of signing
> requires, besides the "private key", a "certificate
> authority" which  indicates who owns the key.  See http:// 
> java.sun.com/docs/books/tutorial/deployment/jar/intro.html
>
> Apache signing, to my knowledge, doesn't require use of a  
> certificate authority.
>
> In looking at several projects placing Jars in Maven repositories,  
> they appear to be signing
> Jars using the Apache signing, not the Java Jar signing mechanism.   
> Maven (I believe)
> supports this.
>
> Eclipse, as of release 3.3 (just out), has moved to a posture of  
> signing all of its Jars using the Java mechanisms, see http:// 
> wiki.eclipse.org/JAR_Signing
>
> There are some issues to signing Jars with Java's approach - in  
> terms of performance impacts.  These are documented here: http:// 
> wiki.eclipse.org/index.php/ 
> Performance_Bloopers#JAR_signing_and_verification
>
> Eclipse avoids these performance impacts by not using the popular  
> Java class loaders
> built on the URLClassLoader.
>
> I'd be interested to learn if others have gone down the Java JAR  
> signing path, and if so,
>  - is it considered an OK alternative to Apache signing,
>  - how did you get a certificate authority to verify ownership of  
> your signing key
>  - how did you avoid performance issues
>
> If not - does anyone know if the Eclipse update site mechanism  
> supports the Apache-style signing mechanism, or can be made to  
> support this?  (The Eclipse update site mechanism checks if the  
> artifacts have been signed, and if so, verifies them, prior to  
> installing them.  But I believe it only works with Java JAR signed  
> objects - but I could be mistaken).
>
> Thanks for any guidance / experiences.
>
> -Marshall Schor (Apache UIMA project)
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


--Apple-Mail-22-1012772945
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGUDCCAwkw
ggJyoAMCAQICECpJVMO68ii+Xfsc1O1YYFIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MTIwOTE5NTEwNVoXDTA3MTIwOTE5NTEw
NVowbDEQMA4GA1UEBBMHUnVzc2VsbDEUMBIGA1UEKhMLQ3JhaWcgTGFpcmQxHDAaBgNVBAMTE0Ny
YWlnIExhaXJkIFJ1c3NlbGwxJDAiBgkqhkiG9w0BCQEWFUNyYWlnLlJ1c3NlbGxAU3VuLkNPTTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAB4Ih+ShsCt89HzqIdwEx8L4o1UHiY6V7
16mrCedfd4Y0/uI7z9Zam8ysgEh+F7aDnQEKmEsVFN35G4nPMfLU6dZYkvADwUjbq82t/dJ3FDDg
Q945nHHpqECZff/S/UMho9AFfj6PZvZBAlDCJAayb4RdKIlfuvPW9YcQStQ1IfVJcVuKnC0Q+tdc
a4A7zn7IzLOQohO1lTc3hXSBigEIGiGYn6Ny0wmexfA3X1WsXekFx5czd+M4GjDjswn8CNoBmnBr
jOTGK1mOsXR6GSRHnly2s9xTdE4qv9qimM+7C2yzMHbKcszV7OQoLsRsZKDh+6u9wYU+TrjcY4ym
bA8CAwEAAaMyMDAwIAYDVR0RBBkwF4EVQ3JhaWcuUnVzc2VsbEBTdW4uQ09NMAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQEFBQADgYEAU/EpPDztnb55Fz7iGSVm1mYEVj5m2OQKTYG26POUAomCBRrt
/CdBBvqYmcHUTpra0qLELHAQadYFl2v11iQkqwF5PPJs19oU/zA0m5qFnOMTAiCvel7IprIwA2r6
eJR9siaPwDRgVJ/Sj71dD+utwf+nRrNy0/7PMNK5y+ocsYQwggM/MIICqKADAgECAgENMA0GCSqG
SIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQH
EwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZp
Y2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMw
NzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl
IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
IElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUE
cJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef
kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMB
AAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3Js
LnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYD
VR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB
AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+
hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDEDCCAwwCAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0ECECpJVMO68ii+Xfsc1O1YYFIwCQYFKw4DAhoFAKCCAW8wGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDcwODIwMTYwNDQ3WjAjBgkqhkiG9w0B
CQQxFgQUW7r/9joxZtfKDPP6zrNdp9D+t84wgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAqSVTDuvIovl37HNTtWGBSMIGHBgsqhkiG
9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAq
SVTDuvIovl37HNTtWGBSMA0GCSqGSIb3DQEBAQUABIIBAA7r6klw45xHn9icgIGRt2Wf5DYG7WRQ
U5572pqXIgQwXQY/2lk/UQaXb06xy9hE3UyglHGbgDsw8hLKh0JAeGMYTXn67PhVh01S3yoAymFu
+fTq457s3hz7FMa4k6r/Ov2zsuH7o17nM0u/3Jb1djDWhWtiG7tZM3fVqqbx8wQ1kRR2uHNRxlLM
bDM6zSe+D3/ZCY8dtHPwWMd+elPflASesu0S8whaAapKt/2twUzOIxdqrEoNQEVIVrcrADQwihMB
aujLVA2HtpKk0NYZzz5rocv1kAAyZS4wxzim7bEx2tYGN0ap5yzIHhMIxTq0gDIxdwZYLWcS6Ta1
nJTz53gAAAAAAAA=

--Apple-Mail-22-1012772945--