Steve, Would we be talking about "gpg --armor --output commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is there some other mechanism we would need to go through?
Even if someone compromised the repository they would need to get your private key and passphrase to create a valid, signed MD5. I know people here are touchy about scope, but JAR signing seems limiting in that it only applies to jar files and is entirely specific to Java. Tim O'Brien > -----Original Message----- > From: Steve Loughran [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 13, 2005 7:20 AM > To: [EMAIL PROTECTED] > Subject: Re: repo security > > On Thu, 13 Jan 2005 10:29:51 +0000, Steve Loughran > <[EMAIL PROTECTED]> wrote: > > On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter > <[EMAIL PROTECTED]> wrote: > > > Hi Steve, > > > > > > I'd like to do whatever we can to get better security on > this stuff. > > > I just need to get my head around what JAR signing provides in > > > comparison to key signing, and what impact it might have > on existing > > > code. I'll read up on it. > > > > it doesnt hit existing code until you run with security turned on. > > > > At that point > > -JAR files need to be signed > > -you cannot have classes in the same package in >1 jar > > > > I believe the latter only kicks in under a secure > classloader; we will > > have to check. If it is the case that everything has to be sealed, > > then signed jars are a no-starter. > > > > I will get our professionally paranoid security person on the case. > > > Consultation complete. > > Once you sign a JAR, the classloader wont let you load more > classes into packages occupied by classes in that JAR, except > from JAR files signed by the same key. > > This is effectively a cross-JAR form of sealing. > > We cannot sign JAR files in this way; it will cause too much > confusion. And it's against the open source ethos of 'rebuild > anything you like'. > > What we can do is produce signature files alongside each > artifact, one that contains a signed MD5 or SHA1 checksum. > Downloading apps can retrieve the signatures and verify. > > Note that if people/repositories do want to sign stuff, that > is their perogative. Transit would work well in a contained > env for secure classloading of RMI files if everything was signed. > > -steve > >