Java comes with the ability to sign a jar file with a private key.
A signed jar file can the be verified by the user or verified by the
JVM at runtime if an application is using the Java SecurityManager.
Signing of jar files can help users protect themselves from trojan
versions of java jar files.
Both Tomcat 3.2 and Tomcat 4.0 now support use of the Java SecurityManager.
The Jakarta project is providing a wide range of java components which
are used in servlet containers such as Tomcat.
If Tomcat is being used with the Java SecurityManager the java policy
file can be configured so that it knows who is a valid signer of a jar
file. This allows users to upgrade jar files they install in Tomcat such
as xerces, xalan, taglibs, etc. with confidence that they won't install
a trojan'd version.
Signing of jar files provided in distributions from the Jakarta project
would give users a higher level of confidence that the software they are
using is secure.
Last May apache.org was compromised by "white hats", if they had been
"black hats" software provided by the ASF could have easily been trojan'd.
Do you think the ASF should sign jar files?
If the ASF signs jar's, a host of other questions are raised.
Should all jar files be signed, even for nightly builds? Or just
for major releases, betas, milestones, etc.
Would only one key be used for all of ASF, or multiple keys.
How would the private key(s) be kept secure? Who would be authorized to sign?
Is there a way to provide signed jar files without making the build/
release process too difficult?
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
