You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Paul Libbrecht <pa...@activemath.org> on 2006/06/16 12:45:01 UTC

Re: [all] jar signing with jarsigner

This thread is somewhat old but I have a new information...
I have just been pointed to the following FAQ by a friend:
  http://www.dallaway.com/acad/webstart/
Several good things in there... but one that is particularly worth it is 
about the usage of *different certificates* for different jars. The bit 
is called "A note on third party JAR files" and indicates that it is 
possible to use different certificates for different jars as long as you 
use the extension mechanism.
This means that signed Apache jars could make sense, even copied in 
another location. It would be distributed with an extension JNLP aside.
Only issue: the user may have to say agree on several certificates!

How safe would it be to consider creating a certificate and store it 
centrally on people.apache.org ? And request only, say, PMC members, to 
actually have the password of the keystore and sign the jars?

thanks

paul



Sandy McArthur wrote:
> On 3/3/06, Paul Libbrecht <pa...@activemath.org> wrote:
>   
>> As far as I could see such a thing... jar signing would need to happen
>> on Apache server... using some Apache private key... right ?
>> Maybe this is a first issue ?
>> How would you go to ensure that such a private key is not hacked or copied ?
>> Let infrastructure team do the signing ?
>>     
>
> There is the problem of getting the cert (or root cert) into the JVM's
> keystore. Unless Apache was able to persuade a well known SSL cert
> issuer to donate code signing certs (which tend to be more expensive
> than common ssl certs), Apache would probably just have to create it's
> own root cert which would be used to issue certs to Apache members
> needing to sign releases. Then, as I see it, trusting these issued
> certs would be no different than trusting the PGP keys release
> managers are expected to keep protected. For end users the root Apache
> cert would need to be added to the JVM's keystore to be able to verify
> signed jars.
>
>   
>> I suppose that, with Java Web Start, the jar-signing mechanism may
>> request at least one authorization for each signing key...
>>     
>
> I don't know how that would work.
>
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>