Date: Fri, 11 Jul 1997 12:35:49 -0700 (PDT)
From: Gigi Ankeny <Gigi.Ankeny@Eng>
Subject: Re: Signing JAR files
To: java-security@web2.javasoft.com, cliao@nortel.ca
>
> 1. In the document <<Manifest Format>>, it is said that we can sign
> portions of a JAR file. By using javakey, can we do it? It seems to
> me that if we use javakey, we sign the whole JAR file.
>
No, you can do that with the current javakey tool, however the manifest format
is still valid and we are working on providing more powerful tool in the near
future to include those kinds of functionalities.
> 2. I remember that I have seen somewhere that we sign only class files
> in a JAR file. Is that true? I have tried javakey tool to sign a JAR.
> The extracted xxxxSIG.SF file indicated that all files in the JAR were
> signed.
>
No, it is not true that you can only sign class files.
> 3. In the document <<Manifest Format>>, it says that each signer is
> represented by a signature. It seems to me that there is only one
> signature file (xxxSIG.SF + xxxSIG.DSA) per signer per JAR file and
> in the signature file (xxxSIG.SF), we have a block for each signed
> file contained in the JAR file. Am I right?
>
> I thank you in advance for your answer.
>
The files that one signer signs is authenticated by its SIG.SF and SIG.DSA,
i.e. if you have two signers Alice and Bob both wants to sign this jar file,
, then you would end up with AliceSIG.SF + AliceSIG.DSA and BobSIG.SF and
BobSIG.DSA.
I hope that helps.
would use the javakey to do it twice and end up with
> Christian Liao
> Nortel (Northern Telecom)
> Canada
>
-- Gigi Lee security group engineer Rm 1436, MailStop UCUP02-102 JavaSoft, 20525 Marianni Blvd. Cupertino, CA 95014 mailto:gigi.ankeny@eng.sun.com HomePage: http://java.sun.com/people/gigi/ http://www-cs-students.stanford.edu/~gigi Phone: (408) 863-3135 Fax: