www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim O'Brien" <tobr...@discursive.com>
Subject RE: repo security
Date Thu, 13 Jan 2005 15:51:30 GMT
Steve,

Would we be talking about "gpg --armor --output
commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
there some other mechanism we would need to go through?

Even if someone compromised the repository they would need to get your
private key and passphrase to create a valid, signed MD5.  I know people
here are touchy about scope, but JAR signing seems limiting in that it
only applies to jar files and is entirely specific to Java.

Tim O'Brien

> -----Original Message-----
> From: Steve Loughran [mailto:steve.loughran@gmail.com] 
> Sent: Thursday, January 13, 2005 7:20 AM
> To: repository@apache.org
> Subject: Re: repo security
> 
> On Thu, 13 Jan 2005 10:29:51 +0000, Steve Loughran 
> <steve.loughran@gmail.com> wrote:
> > On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter 
> <brett.porter@gmail.com> wrote:
> > > Hi Steve,
> > >
> > > I'd like to do whatever we can to get better security on 
> this stuff. 
> > > I just need to get my head around what JAR signing provides in 
> > > comparison to key signing, and what impact it might have 
> on existing 
> > > code. I'll read up on it.
> > 
> > it doesnt hit existing code until you run with security turned on.
> > 
> > At that point
> > -JAR files need to be signed
> > -you cannot have classes in the same package in >1 jar
> > 
> > I believe the latter only kicks in under a secure 
> classloader; we will 
> > have to check. If it is the case that everything has to be sealed, 
> > then signed jars are a no-starter.
> > 
> > I will get our professionally paranoid security person on the case.
> 
> 
> Consultation complete.
> 
> Once you sign a JAR, the classloader wont let you load more 
> classes into packages occupied by classes in that JAR, except 
> from JAR files signed by the same key.
> 
> This is effectively a cross-JAR form of sealing. 
> 
> We cannot sign JAR files in this way; it will cause too much 
> confusion. And it's against the open source ethos of 'rebuild 
> anything you like'.
> 
> What we can do is produce signature files alongside each 
> artifact, one that contains a signed MD5 or SHA1 checksum. 
> Downloading apps can retrieve the signatures and verify.
> 
> Note that if people/repositories do want to sign stuff, that 
> is their perogative. Transit would work well in a contained 
> env for secure classloading of RMI files if everything was signed.
> 
> -steve
> 
> 

Mime
View raw message