Peter Firmstone wrote:
I don't know how to enable the Service to specify a constraint on the signer of the downloaded codebase if not originating from the service, any ideas?
The HTTPMD protocol handler (URLStreamHandler) does this by requiring that you know the MD5 sum of the jar that you want to download. If you try and download the jar, and the sum is different, you can know that the content is not what you originally knew it to be.
Not directly signing, but a mechanism that is similar and provides a fairly secured indication of "source" based on what you knew at the moment you acquired the MD5 sum.
Gregg Wonderly
