On Thu, 13 Jan 2005 10:29:51 +0000, Steve Loughran
<[EMAIL PROTECTED]> wrote:
> On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> > Hi Steve,
> >
> > I'd like to do whatever we can to get better security on this stuff. I
> > just need to get my head around what JAR signing provides in
> > comparison to key signing, and what impact it might have on existing
> > code. I'll read up on it.
> 
> it doesnt hit existing code until you run with security turned on.
> 
> At that point
> -JAR files need to be signed
> -you cannot have classes in the same package in >1 jar
> 
> I believe the latter only kicks in under a secure classloader; we will
> have to check. If it is the case that everything has to be sealed,
> then signed jars are a no-starter.
> 
> I will get our professionally paranoid security person on the case.


Consultation complete.

Once you sign a JAR, the classloader wont let you load more classes
into packages occupied by classes in that JAR, except from JAR files
signed by the same key.

This is effectively a cross-JAR form of sealing. 

We cannot sign JAR files in this way; it will cause too much
confusion. And it's against the open source ethos of 'rebuild anything
you like'.

What we can do is produce signature files alongside each artifact, one
that contains a signed MD5 or SHA1 checksum. Downloading apps can
retrieve the signatures and verify.

Note that if people/repositories do want to sign stuff, that is their
perogative. Transit would work well in a contained env for secure
classloading of RMI files if everything was signed.

-steve

Reply via email to