You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Sandy McArthur <sa...@apache.org> on 2006/03/03 02:28:29 UTC
[all] jar signing with jarsigner
The discussion on signing releases with PGP led me to wonder why jar's
aren't signed with the jarsigner tool? As Java centric as Jakarta is,
now that I think about it, it seems kind of strange that the "java
way" of signing code isn't used. I'm not suggesting replacing the PGP
sigs on releases, jarsigner doesn't do much with tarballs.
Eg: having HttpClient signed would let an admin express with the Java
security model that a web app cannot open sockets unless it's being
made by an official version of HttpClient. Or that a webapp cannot
create temp files except by a signed FileUpload lib.
http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
--
Sandy McArthur
"He who dares not offend cannot be honest."
- Thomas Paine
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Martin van den Bemt <ml...@mvdb.net>.
Paul Libbrecht wrote:
> To me this just means that the signature is, for JNLP deployers, a job
> of the deployer, or the end-developer and that a signature of Apache
> Foundation would not help.
> Correct with that ?
From my point of view you are correct, though my opinion is not necessarily the opinion of everyone
else.
> Can you tell a bit more ?
> E.g. is there a comparison between the fields of the JNLP and the fields
> of the certificate?
I don't know of the internals of webstart on how it checks the certs in the jars
Assume you have one jnlp file. The webstart client assumes that ALL jars are signed with the same
cerficate, else it will stop with an error. This it to prevent users having to accept different
certifacates. A way to use eg apache signed jars, is to add an "extension" jnlp file in the main
jnlp file.
There is one rule though : The extensions may not contain code from the same packages as contained
in the main (I don't know the exact rules for this, but that is probably in the jnlp spec).
In short : it gives the ASF extra burden to sign the jars (and release every ones in a while, since
those certs actually expire at some point in time) and I don't see the real benefit users and the
ASF is getting out of that. If people want to sign their application, just let them also sign all
the other stuff along with it.
Hope this helps :)
Mvgr,
Martin
>
> thanks
>
> paul
>
> Martin van den Bemt wrote:
>
>> Yep I used it on a regular base, although it's been a year or so,
>> since I last did this..
>> I just took the short path : (re) sign all the jars that go into a
>> webstarted application.
>> All signatures in a/each jnlp file should be the same. So eg if all
>> external dependencies are signed by the creator, you need to create a
>> seperate jnlp (include like) file per unique cert, which can kind of
>> suck from a release manager perspective.
>> So my preferred way is to just (re) sign everything with the same cert..
>>
>>
>> Mvgr,
>> Martin
>>
>> Paul Libbrecht wrote:
>>
>>> Paul Libbrecht wrote:
>>>
>>>> I suppose that, with Java Web Start, the jar-signing mechanism may
>>>> request at least one authorization for each signing key...
>>>
>>>
>>>
>>> Has anyone tested a java-web-start application where jars are from
>>> different originators?
>>> If, indeed as I fear, there are several requests for trust presented
>>> to the user, I think ASF jar-signing would help nothing for JNLP
>>> deployments...
>>>
>>> paul
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Paul Libbrecht <pa...@activemath.org>.
To me this just means that the signature is, for JNLP deployers, a job
of the deployer, or the end-developer and that a signature of Apache
Foundation would not help.
Correct with that ?
Can you tell a bit more ?
E.g. is there a comparison between the fields of the JNLP and the fields
of the certificate?
thanks
paul
Martin van den Bemt wrote:
> Yep I used it on a regular base, although it's been a year or so,
> since I last did this..
> I just took the short path : (re) sign all the jars that go into a
> webstarted application.
> All signatures in a/each jnlp file should be the same. So eg if all
> external dependencies are signed by the creator, you need to create a
> seperate jnlp (include like) file per unique cert, which can kind of
> suck from a release manager perspective.
> So my preferred way is to just (re) sign everything with the same cert..
>
>
> Mvgr,
> Martin
>
> Paul Libbrecht wrote:
>> Paul Libbrecht wrote:
>>
>>> I suppose that, with Java Web Start, the jar-signing mechanism may
>>> request at least one authorization for each signing key...
>>
>>
>> Has anyone tested a java-web-start application where jars are from
>> different originators?
>> If, indeed as I fear, there are several requests for trust presented
>> to the user, I think ASF jar-signing would help nothing for JNLP
>> deployments...
>>
>> paul
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Martin van den Bemt <ml...@mvdb.net>.
Yep I used it on a regular base, although it's been a year or so, since I last did this..
I just took the short path : (re) sign all the jars that go into a webstarted application.
All signatures in a/each jnlp file should be the same. So eg if all external dependencies are signed
by the creator, you need to create a seperate jnlp (include like) file per unique cert, which can
kind of suck from a release manager perspective.
So my preferred way is to just (re) sign everything with the same cert..
Mvgr,
Martin
Paul Libbrecht wrote:
> Paul Libbrecht wrote:
>
>> I suppose that, with Java Web Start, the jar-signing mechanism may
>> request at least one authorization for each signing key...
>
>
> Has anyone tested a java-web-start application where jars are from
> different originators?
> If, indeed as I fear, there are several requests for trust presented to
> the user, I think ASF jar-signing would help nothing for JNLP
> deployments...
>
> paul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Paul Libbrecht <pa...@activemath.org>.
Paul Libbrecht wrote:
> I suppose that, with Java Web Start, the jar-signing mechanism may
> request at least one authorization for each signing key...
Has anyone tested a java-web-start application where jars are from
different originators?
If, indeed as I fear, there are several requests for trust presented to
the user, I think ASF jar-signing would help nothing for JNLP deployments...
paul
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Paul Libbrecht <pa...@activemath.org>.
This thread is somewhat old but I have a new information...
I have just been pointed to the following FAQ by a friend:
http://www.dallaway.com/acad/webstart/
Several good things in there... but one that is particularly worth it is
about the usage of *different certificates* for different jars. The bit
is called "A note on third party JAR files" and indicates that it is
possible to use different certificates for different jars as long as you
use the extension mechanism.
This means that signed Apache jars could make sense, even copied in
another location. It would be distributed with an extension JNLP aside.
Only issue: the user may have to say agree on several certificates!
How safe would it be to consider creating a certificate and store it
centrally on people.apache.org ? And request only, say, PMC members, to
actually have the password of the keystore and sign the jars?
thanks
paul
Sandy McArthur wrote:
> On 3/3/06, Paul Libbrecht <pa...@activemath.org> wrote:
>
>> As far as I could see such a thing... jar signing would need to happen
>> on Apache server... using some Apache private key... right ?
>> Maybe this is a first issue ?
>> How would you go to ensure that such a private key is not hacked or copied ?
>> Let infrastructure team do the signing ?
>>
>
> There is the problem of getting the cert (or root cert) into the JVM's
> keystore. Unless Apache was able to persuade a well known SSL cert
> issuer to donate code signing certs (which tend to be more expensive
> than common ssl certs), Apache would probably just have to create it's
> own root cert which would be used to issue certs to Apache members
> needing to sign releases. Then, as I see it, trusting these issued
> certs would be no different than trusting the PGP keys release
> managers are expected to keep protected. For end users the root Apache
> cert would need to be added to the JVM's keystore to be able to verify
> signed jars.
>
>
>> I suppose that, with Java Web Start, the jar-signing mechanism may
>> request at least one authorization for each signing key...
>>
>
> I don't know how that would work.
>
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
Re: [all] jar signing with jarsigner
Posted by Sandy McArthur <sa...@apache.org>.
On 3/3/06, Paul Libbrecht <pa...@activemath.org> wrote:
> As far as I could see such a thing... jar signing would need to happen
> on Apache server... using some Apache private key... right ?
> Maybe this is a first issue ?
> How would you go to ensure that such a private key is not hacked or copied ?
> Let infrastructure team do the signing ?
There is the problem of getting the cert (or root cert) into the JVM's
keystore. Unless Apache was able to persuade a well known SSL cert
issuer to donate code signing certs (which tend to be more expensive
than common ssl certs), Apache would probably just have to create it's
own root cert which would be used to issue certs to Apache members
needing to sign releases. Then, as I see it, trusting these issued
certs would be no different than trusting the PGP keys release
managers are expected to keep protected. For end users the root Apache
cert would need to be added to the JVM's keystore to be able to verify
signed jars.
> I suppose that, with Java Web Start, the jar-signing mechanism may
> request at least one authorization for each signing key...
I don't know how that would work.
--
Sandy McArthur
"He who dares not offend cannot be honest."
- Thomas Paine
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
RE: [all] jar signing with jarsigner
Posted by James Carman <ja...@carmanconsulting.com>.
Or, maybe we could submit the artifacts to the web portal and the portal
would allow us to login and vote on whether we deem it worthy of publishing?
We could maybe require a minimum number of votes. Once it reaches a certain
status (minimum number of +1s or something), the infrastructure team is
notified (via email) or it shows up on their screen as something they need
to address. Then, they can take the artifacts, give the ASF stamp of
approval (sign them) and publish them to the appropriate place. Basically,
it'd be a workflow system.
-----Original Message-----
From: James Carman [mailto:james@carmanconsulting.com]
Sent: Friday, March 03, 2006 8:17 AM
To: 'Jakarta Commons Developers List'; paul@activemath.org
Subject: RE: [all] jar signing with jarsigner
I would say that having the infrastructure team, or some other team, do the
signing might be a good idea. Maybe there could be a mechanism for us to
login through some web portal and request that certain files be signed and
"published" rather than doing it ourselves. Having a jar signed by The
Apache Software Foundation (and publishing the ASF certificate) would
definitely make it easier for users to make up security policies which
allows them to "trust" the code that comes from us (like giving HiveMind the
ability to create classes on the fly using Javassist in application
servers).
-----Original Message-----
From: Paul Libbrecht [mailto:paul@activemath.org]
Sent: Friday, March 03, 2006 3:56 AM
To: Jakarta Commons Developers List
Subject: Re: [all] jar signing with jarsigner
As far as I could see such a thing... jar signing would need to happen
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?
I suppose that, with Java Web Start, the jar-signing mechanism may
request at least one authorization for each signing key...
paul
Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
RE: [all] jar signing with jarsigner
Posted by James Carman <ja...@carmanconsulting.com>.
I would say that having the infrastructure team, or some other team, do the
signing might be a good idea. Maybe there could be a mechanism for us to
login through some web portal and request that certain files be signed and
"published" rather than doing it ourselves. Having a jar signed by The
Apache Software Foundation (and publishing the ASF certificate) would
definitely make it easier for users to make up security policies which
allows them to "trust" the code that comes from us (like giving HiveMind the
ability to create classes on the fly using Javassist in application
servers).
-----Original Message-----
From: Paul Libbrecht [mailto:paul@activemath.org]
Sent: Friday, March 03, 2006 3:56 AM
To: Jakarta Commons Developers List
Subject: Re: [all] jar signing with jarsigner
As far as I could see such a thing... jar signing would need to happen
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?
I suppose that, with Java Web Start, the jar-signing mechanism may
request at least one authorization for each signing key...
paul
Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Paul Libbrecht <pa...@activemath.org>.
As far as I could see such a thing... jar signing would need to happen
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?
I suppose that, with Java Web Start, the jar-signing mechanism may
request at least one authorization for each signing key...
paul
Sandy McArthur wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Sandy McArthur <sa...@gmail.com>.
On 3/2/06, Henri Yandell <fl...@gmail.com> wrote:
> Have you had good fortune with jar signing, or are you like me - it's
> an idea that you've never had time to pursue?
Only with respect to deploying an internal JavaWebStart app. And long
ago I stumbled across it once back when Java 1.3 was current and I was
using a profiler that instrumented all your byte code and since
JavaMail was signed and marked as secure I had to repackage it without
the signature so the classloader would load the instrumented classes.
The modern profilers I've used recently won't have this problem with
the hooks available in the modern JVMs.
--
Sandy McArthur
"He who dares not offend cannot be honest."
- Thomas Paine
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [all] jar signing with jarsigner
Posted by Henri Yandell <fl...@gmail.com>.
Steve Loughran's had some interesting things to say on this on
repository@apache.org over the last year or so. Basically that in his
opinion jar signing plain didn't work and we shouldn't be bothering
with it.
Have you had good fortune with jar signing, or are you like me - it's
an idea that you've never had time to pursue?
Hen
On 3/2/06, Sandy McArthur <sa...@apache.org> wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org