Is JAR signing _ever_ harmful?

[Andy Dingley]

I'm having a series of ructions with our on-site installation people,
re: JAR signing. It's a big app, big budget, and we have lots of
be-suited consultants running around on customer sites for long
periods. I live back in the coder's garret, making the product.
Sometimes they throw me the odd doughnut.

Basically they're reporting every bug and misconfiguration they can
find as being caused by our recent switch to JARs rather than loose
..class files, and in particular by these JARs being signed. It's a
self-generated key, without an X509 cert (at present).

Before I go postal with the +3 Lart-o-doom, can I please ask if there
are _ANY_ circumstances, no matter how perverse, where signing a JAR
could cause something to break? I know of nothing. Nada. Zilch.

One problem we have had was due to signing across two JARs having been
done by different keys. As the real problem here was trying to mix code
from product versions V1 and V2 (a big non-no anyway) then I see this
more as a feature than a bug. But try telling them that...

 

[hicks]

I'm having a series of ructions with our on-site installation people,
re: JAR signing. It's a big app, big budget, and we have lots of
be-suited consultants running around on customer sites for long
periods. I live back in the coder's garret, making the product.
Sometimes they throw me the odd doughnut.

Basically they're reporting every bug and misconfiguration they can
find as being caused by our recent switch to JARs rather than loose
.class files, and in particular by these JARs being signed. It's a
self-generated key, without an X509 cert (at present).

Before I go postal with the +3 Lart-o-doom, can I please ask if there
are _ANY_ circumstances, no matter how perverse, where signing a JAR
could cause something to break? I know of nothing. Nada. Zilch.

One problem we have had was due to signing across two JARs having been
done by different keys. As the real problem here was trying to mix code
from product versions V1 and V2 (a big non-no anyway) then I see this
more as a feature than a bug. But try telling them that...

The only time I encountered problems like this was when we had two jars
containing classes in the javax/xml/namespace package which conflicted.
Caused I think by a version mismatch, or confusion about which version
was supposed to be used. Versioning is a general problem with jars
though.

Using the same key throughout shouldn't cause problems.

 

[Ben_]

Managing the expiration of the certificate is an issue to address.

Keeping the private key secret is another.

 

[PofN]

Before I go postal with the +3 Lart-o-doom, can I please ask if there
are _ANY_ circumstances, no matter how perverse, where signing a JAR
could cause something to break? I know of nothing. Nada. Zilch.

Well, it is apparently harmful to the pea-size brains of those
conslutants. Which is a good thing, isn't it?

Let them report every alleged error. Give them a ticket. Respond to
every ticket with "Thanks for informing us about the issue. We will
take care of it in due course.". Then give it the lowest priority.
After a year or two you close the bug report with "not reproducible".

Should they start asking questions tell them "We are still
investigating. There are some complex interactions. There might be a
bug in Sun's tools. An ion-storm might have flipped some bits."

If they still complain, cite "complex security issues of which they as
top-notch consultants are for sure aware of". If they complain to your
boss, answer in the same way. Act as if these security issues are
widely known and that you are surprised that the conslutants don't know
shit.

And in the meantime you convert the whole installation to JWS. If done
right that might drive the conslutants out of business. Maybe some of
them find honest work in the burger flipping business.

PofN