I've been doing some JAR signing work in ant; a <verifyjar> task to go
alongside <signjar>. I had intended it to be a precursor to library
verification in Ant after download.

The summary is: 'signjar -verify' is a worthless bit of code; it
doesnt change its exit code when a JAR is unsigned, it doesnt even
change its success text "JAR verified." when a JAR is signed by
someone you dont trust. There is no way to validate (pre-Java1.5) a
JAR except by trying to load it in a secure classloader, and even
then, the loading code doesnt know what the result is, it is only the
loaded code, which finds it in a sandbox. The best bit: untrusted data
is still accessible by trusted code, without being able to check on
the value of that data.

There is no point in even making JAR signing/verifying an option for
validating jar files. It wont work, it will only lull people into


Reply via email to