www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <steve.lough...@gmail.com>
Subject Re: Re[2]: Maven repository security
Date Wed, 02 Aug 2006 13:30:46 GMT
On 02/08/06, Peter Kriens <Peter.Kriens@aqute.biz> wrote:
>
> 2a. JAR file verification
>    Verifying a JAR file is not that hard as it sounds. Jarsigner can
>    do it, and it is not that hard to code up. However, why do you need to
>    do this? The class loader will do this properly during class loading
>    which gives you end-to-end security. Notice that a signed JAR does
>    not tell you it is trustworthy, it just tells you who signed it.
>    You need to decide how much you trust the signer (or the signer of
>    the signer certificate if you use certificate chains).


I dont think jarsigner does work. This is why ant doesnt have a
<verifysigned> task; I backed it out once we became aware of all the
deficiencies of the code. It looks like it works, but it doesnt check
that a JAR is signed by anyone you trust, and it doesnt change its
return code depending on whether the thing was validated or not. All
you can do is look at the output string and hope it doesnt change from
version to version.

Maybe java1.4 or 1.5 has the API calls to validate the CA chain of the
signatures.

-steve
-steve

Mime
View raw message