Hi Marshall,When I looked into Java signing and found it to be too burdensome. There are two basic issues with it that made me think that it wasn't suitable for use with Apache projects:
1. The certificates are the keys to the kingdom. Whoever has the ability to use the certificates warrants the contents of the jar, so the certificates need to be kept secret. It's not practical for Apache projects to have secrets like this, so each individual would need their own certificate.
2. The runtime cost of checking the certificate every time the jar is used.
Just my opinion, Craig On Aug 20, 2007, at 8:54 AM, Marshall Schor wrote:
I'm no expert in signing, but am looking into alternatives. This is what I've found, so far.Apache projects sign their distributable artifacts; see http:// www.apache.org/dev/release-signing.htmlFor artifacts which are Jars, there is another standard for signing which is supported by Java itself, in that the signed Jar can be "verified" when loaded. This kind of signingrequires, besides the "private key", a "certificateauthority" which indicates who owns the key. See http:// java.sun.com/docs/books/tutorial/deployment/jar/intro.htmlApache signing, to my knowledge, doesn't require use of a certificate authority.In looking at several projects placing Jars in Maven repositories, they appear to be signing Jars using the Apache signing, not the Java Jar signing mechanism. Maven (I believe)supports this.Eclipse, as of release 3.3 (just out), has moved to a posture of signing all of its Jars using the Java mechanisms, see http:// wiki.eclipse.org/JAR_SigningThere are some issues to signing Jars with Java's approach - in terms of performance impacts. These are documented here: http:// wiki.eclipse.org/index.php/ Performance_Bloopers#JAR_signing_and_verificationEclipse avoids these performance impacts by not using the popular Java class loadersbuilt on the URLClassLoader.I'd be interested to learn if others have gone down the Java JAR signing path, and if so,- is it considered an OK alternative to Apache signing,- how did you get a certificate authority to verify ownership of your signing key- how did you avoid performance issuesIf not - does anyone know if the Eclipse update site mechanism supports the Apache-style signing mechanism, or can be made to support this? (The Eclipse update site mechanism checks if the artifacts have been signed, and if so, verifies them, prior to installing them. But I believe it only works with Java JAR signed objects - but I could be mistaken).Thanks for any guidance / experiences. -Marshall Schor (Apache UIMA project) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
