signing a JAR file
Warren Togami
wtogami at redhat.com
Tue Feb 20 21:37:45 UTC 2007
Rob Crittenden wrote:
>
> Can I package up the mozilla.org jar pre-signed jar file? I think that
> would qualify it as a "binary distribution" though which is frowned upon.
>
> rob
>
This is an interesting question possibly for our packaging guidelines
committee. It is obvious that you cannot make a reproducible signed
binary as needed in this case using our current guidelines.
Perhaps a scheme like this would be acceptable:
1) Spec file builds the JAR from sources.
2) Uses some kind of intelligent compare algorithm to be sure that the
Java bytecode is truly identical to the signed JAR.
3) ONLY IF THEY MATCH, then throw away the built copy and ship the
signed JAR.
Now there are possible problems with this...
1) How error-prone or even possible is it to make reproducible JAR files
that can compare in this way?
2) Does this run afoul of any licenses, like the proposed GPLv3 anti-DRM
provisions?
Other question...
*Who* must sign the JAR file for it to be valid?
Warren Togami
wtogami at redhat.com
More information about the fedora-extras-list
mailing list