Is JAR signing _ever_ harmful?

Discussion in 'Java' started by Andy Dingley, Aug 17, 2006.

  1. Andy Dingley

    Andy Dingley Guest

    I'm having a series of ructions with our on-site installation people,
    re: JAR signing. It's a big app, big budget, and we have lots of
    be-suited consultants running around on customer sites for long
    periods. I live back in the coder's garret, making the product.
    Sometimes they throw me the odd doughnut.

    Basically they're reporting every bug and misconfiguration they can
    find as being caused by our recent switch to JARs rather than loose
    ..class files, and in particular by these JARs being signed. It's a
    self-generated key, without an X509 cert (at present).

    Before I go postal with the +3 Lart-o-doom, can I please ask if there
    are _ANY_ circumstances, no matter how perverse, where signing a JAR
    could cause something to break? I know of nothing. Nada. Zilch.

    One problem we have had was due to signing across two JARs having been
    done by different keys. As the real problem here was trying to mix code
    from product versions V1 and V2 (a big non-no anyway) then I see this
    more as a feature than a bug. But try telling them that...
    Andy Dingley, Aug 17, 2006
    #1
    1. Advertising

  2. Andy Dingley

    Guest

    Andy Dingley wrote:
    > I'm having a series of ructions with our on-site installation people,
    > re: JAR signing. It's a big app, big budget, and we have lots of
    > be-suited consultants running around on customer sites for long
    > periods. I live back in the coder's garret, making the product.
    > Sometimes they throw me the odd doughnut.
    >
    > Basically they're reporting every bug and misconfiguration they can
    > find as being caused by our recent switch to JARs rather than loose
    > .class files, and in particular by these JARs being signed. It's a
    > self-generated key, without an X509 cert (at present).
    >
    > Before I go postal with the +3 Lart-o-doom, can I please ask if there
    > are _ANY_ circumstances, no matter how perverse, where signing a JAR
    > could cause something to break? I know of nothing. Nada. Zilch.
    >
    > One problem we have had was due to signing across two JARs having been
    > done by different keys. As the real problem here was trying to mix code
    > from product versions V1 and V2 (a big non-no anyway) then I see this
    > more as a feature than a bug. But try telling them that...


    The only time I encountered problems like this was when we had two jars
    containing classes in the javax/xml/namespace package which conflicted.
    Caused I think by a version mismatch, or confusion about which version
    was supposed to be used. Versioning is a general problem with jars
    though.

    Using the same key throughout shouldn't cause problems.
    , Aug 17, 2006
    #2
    1. Advertising

  3. Andy Dingley

    Ben_ Guest

    Managing the expiration of the certificate is an issue to address.

    Keeping the private key secret is another.
    Ben_, Aug 17, 2006
    #3
  4. Andy Dingley

    PofN Guest

    Andy Dingley wrote:
    > Before I go postal with the +3 Lart-o-doom, can I please ask if there
    > are _ANY_ circumstances, no matter how perverse, where signing a JAR
    > could cause something to break? I know of nothing. Nada. Zilch.


    Well, it is apparently harmful to the pea-size brains of those
    conslutants. Which is a good thing, isn't it?

    Let them report every alleged error. Give them a ticket. Respond to
    every ticket with "Thanks for informing us about the issue. We will
    take care of it in due course.". Then give it the lowest priority.
    After a year or two you close the bug report with "not reproducible".

    Should they start asking questions tell them "We are still
    investigating. There are some complex interactions. There might be a
    bug in Sun's tools. An ion-storm might have flipped some bits."

    If they still complain, cite "complex security issues of which they as
    top-notch consultants are for sure aware of". If they complain to your
    boss, answer in the same way. Act as if these security issues are
    widely known and that you are surprised that the conslutants don't know
    shit.

    And in the meantime you convert the whole installation to JWS. If done
    right that might drive the conslutants out of business. Maybe some of
    them find honest work in the burger flipping business.

    PofN
    PofN, Aug 17, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter

    signing jar many times?

    Peter, Mar 4, 2004, in forum: Java
    Replies:
    1
    Views:
    468
    Thomas Schodt
    Mar 4, 2004
  2. Arnold Peters
    Replies:
    0
    Views:
    564
    Arnold Peters
    Jan 5, 2005
  3. muttley
    Replies:
    0
    Views:
    2,714
    muttley
    Oct 20, 2005
  4. cyberco
    Replies:
    4
    Views:
    3,746
    Roedy Green
    Feb 14, 2006
  5. Arnold Peters
    Replies:
    0
    Views:
    653
    Arnold Peters
    Jan 5, 2005
Loading...

Share This Page