[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: signing a JAR file

Rob Crittenden wrote:

Can I package up the mozilla.org jar pre-signed jar file? I think that would qualify it as a "binary distribution" though which is frowned upon.


This is an interesting question possibly for our packaging guidelines committee. It is obvious that you cannot make a reproducible signed binary as needed in this case using our current guidelines.

Perhaps a scheme like this would be acceptable:
1) Spec file builds the JAR from sources.
2) Uses some kind of intelligent compare algorithm to be sure that the Java bytecode is truly identical to the signed JAR. 3) ONLY IF THEY MATCH, then throw away the built copy and ship the signed JAR.

Now there are possible problems with this...
1) How error-prone or even possible is it to make reproducible JAR files that can compare in this way? 2) Does this run afoul of any licenses, like the proposed GPLv3 anti-DRM provisions?

Other question...
*Who* must sign the JAR file for it to be valid?

Warren Togami
wtogami redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]