On Thu, 13 Jan 2005 10:29:51 +0000, Steve Loughran
<[EMAIL PROTECTED]> wrote:
> On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> > Hi Steve,
> > I'd like to do whatever we can to get better security on this stuff. I
> > just need to get my head around what JAR signing provides in
> > comparison to key signing, and what impact it might have on existing
> > code. I'll read up on it.
> it doesnt hit existing code until you run with security turned on.
> At that point
> -JAR files need to be signed
> -you cannot have classes in the same package in >1 jar
> I believe the latter only kicks in under a secure classloader; we will
> have to check. If it is the case that everything has to be sealed,
> then signed jars are a no-starter.
> I will get our professionally paranoid security person on the case.
Once you sign a JAR, the classloader wont let you load more classes
into packages occupied by classes in that JAR, except from JAR files
signed by the same key.
This is effectively a cross-JAR form of sealing.
We cannot sign JAR files in this way; it will cause too much
confusion. And it's against the open source ethos of 'rebuild anything
What we can do is produce signature files alongside each artifact, one
that contains a signed MD5 or SHA1 checksum. Downloading apps can
retrieve the signatures and verify.
Note that if people/repositories do want to sign stuff, that is their
perogative. Transit would work well in a contained env for secure
classloading of RMI files if everything was signed.