As far as I could see such a thing... jar signing would need to happen
on Apache server... using some Apache private key... right ?
Maybe this is a first issue ?
How would you go to ensure that such a private key is not hacked or copied ?
Let infrastructure team do the signing ?
I suppose that, with Java Web Start, the jar-signing mechanism may
request at least one authorization for each signing key...
paul
Sandy McArthur wrote:
The discussion on signing releases with PGP led me to wonder why jar's
aren't signed with the jarsigner tool? As Java centric as Jakarta is,
now that I think about it, it seems kind of strange that the "java
way" of signing code isn't used. I'm not suggesting replacing the PGP
sigs on releases, jarsigner doesn't do much with tarballs.
Eg: having HttpClient signed would let an admin express with the Java
security model that a web app cannot open sockets unless it's being
made by an official version of HttpClient. Or that a webapp cannot
create temp files except by a signed FileUpload lib.
http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
--
Sandy McArthur
"He who dares not offend cannot be honest."
- Thomas Paine
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
