[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: signing a JAR file



On Tuesday 20 February 2007, Warren Togami wrote:
>
> Perhaps a scheme like this would be acceptable:
> 1) Spec file builds the JAR from sources.
> 2) Uses some kind of intelligent compare algorithm to be sure that the
> Java bytecode is truly identical to the signed JAR.
> 3) ONLY IF THEY MATCH, then throw away the built copy and ship the
> signed JAR.

Interesting idea.

> Now there are possible problems with this...
> 1) How error-prone or even possible is it to make reproducible JAR files
> that can compare in this way?

Different compilers generate at least somewhat different bytecode, and chances 
that the compilers used by upstream and Fedora are different are very high.  
Perhaps decompiling the bytecode in both the upstream jar and the built jar 
and comparing those would yield better results, OTOH the compiler differences 
might be reflected in the decompiled code too.  Hm, is there a Java 
decompiler included in Fedora?

> Other question...
> *Who* must sign the JAR file for it to be valid?

For JCE providers for use with Sun's Java, and applies probably to BEA as 
well, dunno about others, one needs to have a code signing certificate issued 
by Sun's JCE code signing CA.
http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205a


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]