[ http://jira.codehaus.org/browse/MOJO-263?page=comments#action_65278 ]
Geoffrey De Smet commented on MOJO-263: --------------------------------------- The component extension can be hell for your users, as they might have to click through a multitude of certificates to accept. That's the exactly the one thing that the jnlp spec tries to enforce by having all jars certified by one certificate... the only problem is they won't allow that those jars are also signed by other certificates too. It's easy to overwrite a signed jar's signature: First sign it and then remove META-INF/xxx.RSA and SF Problem is the maven jar plugin won't allow you to sign a jar which is already signed. > [webstart] deal with unsigned jars > ---------------------------------- > > Key: MOJO-263 > URL: http://jira.codehaus.org/browse/MOJO-263 > Project: Mojo > Type: New Feature > Components: webstart > Reporter: Jerome Lacoste > Assignee: Jerome Lacoste > > > There are potential issues when dealing with including such already signed > jars in a webstart application. > In particular see: > http://jira.codehaus.org/browse/MOJO-7#action_49160 > and the relevant m1 jnlp issues: > http://jira.codehaus.org/browse/MPJNLP-20 > http://jira.codehaus.org/browse/MPJNLP-28 > According to the feedback I got on the maven user list, I think that, in > order to satisfy everybody, we need to: > - handle already signed jars (MPJNLP-28) > - primarily we need the possibility to unsign a jar. That will probably go > to jar:unsign. > - optionally avoid signing jars that are already signed. > - optionally clean the Manifest (maven1 jnlp feature, to work around SDK 1.3 > issue - See MPJNLP-20) > Did I miss something? > Now how do we present that to the user? > We could: > - assume that every jar will be signed by default > - let the user list the operation to perform, maybe using something like: > <sign> > <dname>...</dname> > ... > <unsign> > <dependency>...</dependency> > </unsign> > <skipSignedJars>true<skipSignedJars> > <cleanManifest>true</cleanManifest> > </sign> > Does that look correct? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
