On 3/3/06, Paul Libbrecht <[EMAIL PROTECTED]> wrote: > As far as I could see such a thing... jar signing would need to happen > on Apache server... using some Apache private key... right ? > Maybe this is a first issue ? > How would you go to ensure that such a private key is not hacked or copied ? > Let infrastructure team do the signing ?
There is the problem of getting the cert (or root cert) into the JVM's keystore. Unless Apache was able to persuade a well known SSL cert issuer to donate code signing certs (which tend to be more expensive than common ssl certs), Apache would probably just have to create it's own root cert which would be used to issue certs to Apache members needing to sign releases. Then, as I see it, trusting these issued certs would be no different than trusting the PGP keys release managers are expected to keep protected. For end users the root Apache cert would need to be added to the JVM's keystore to be able to verify signed jars. > I suppose that, with Java Web Start, the jar-signing mechanism may > request at least one authorization for each signing key... I don't know how that would work. -- Sandy McArthur "He who dares not offend cannot be honest." - Thomas Paine --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
