Mailinglist Archive: opensuse-java (8 mails)

["Roberto Mannai" <robermann@xxxxxxxxx>]

IMHO you are right: if you download the sources and create a new
keystore (with a new password) you could resign the jar.

Anyway the repository of the tampered jar should not anymore the same
of your original package. Whoever use a package should trust the
repository that publish it; as far as I know, I could get whatever
package, crack any java source file with a malicious code, then
publish it into a my own repository.

Package security is related to the repository trust.

What do all of you think?

Ciao
Roberto

On Mon, Jun 9, 2008 at 8:52 PM, Kirill Kirillov
<kirill.kirillov@xxxxxxxxx> wrote:
> В Пнд, 09/06/2008 в 09:55 +0200, Roberto Mannai пишет:
>
> > about signing jars, my project signed them, so it is possibile :) ;
> > I'm using the following ant task:
> >
> >               <!-- signing to use as a Java Web Start application -->
> >               <signjar keystore="${src}/../myKeystore"
> >                       jar="${dist}\java2demo.jar"
> >                       alias="www.codesounding.org"
> >                   storepass="XYZ"
> >               />
> >
> > See 
> > https://build.opensuse.org/package/show?package=codesounding&project=home%3Arobermann79-
>
> IMHO, it's not a secure solution, because by providing access to this
> build.xml with password, anyone can build modified xxx.jar and sign it
> with official signature and therefore it'll become useless. Am I wrong?
>
> Kirill.
>
> --
> To unsubscribe, e-mail: opensuse-java+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-java+help@xxxxxxxxxxxx
N▀╖╡ФЛr╦⌡yИ ┼Z)z{.╠Хз╫╞╝·к⌡╠йБmЙ)z{.╠Й+─Z+iвb╤*'jW( f╖vг╕j)h╔ИЛ╨гёjЖ╬┘Иi╒≈╖╡К╒╦