www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject JAR signing : not an option
Date Tue, 29 Mar 2005 17:21:47 GMT
I've been doing some JAR signing work in ant; a <verifyjar> task to go
alongside <signjar>. I had intended it to be a precursor to library
verification in Ant after download.

The summary is: 'signjar -verify' is a worthless bit of code; it
doesnt change its exit code when a JAR is unsigned, it doesnt even
change its success text "JAR verified." when a JAR is signed by
someone you dont trust. There is no way to validate (pre-Java1.5) a
JAR except by trying to load it in a secure classloader, and even
then, the loading code doesnt know what the result is, it is only the
loaded code, which finds it in a sandbox. The best bit: untrusted data
is still accessible by trusted code, without being able to check on
the value of that data.

There is no point in even making JAR signing/verifying an option for
validating jar files. It wont work, it will only lull people into
insecurity.

-steve

Mime
View raw message