Paul Libbrecht wrote:
To me this just means that the signature is, for JNLP deployers, a job
of the deployer, or the end-developer and that a signature of Apache
Foundation would not help.
Correct with that ?
From my point of view you are correct, though my opinion is not necessarily the opinion of everyone
else.
Can you tell a bit more ?
E.g. is there a comparison between the fields of the JNLP and the fields
of the certificate?
I don't know of the internals of webstart on how it checks the certs in the jars
Assume you have one jnlp file. The webstart client assumes that ALL jars are signed with the same
cerficate, else it will stop with an error. This it to prevent users having to accept different
certifacates. A way to use eg apache signed jars, is to add an "extension" jnlp file in the main
jnlp file.
There is one rule though : The extensions may not contain code from the same packages as contained
in the main (I don't know the exact rules for this, but that is probably in the jnlp spec).
In short : it gives the ASF extra burden to sign the jars (and release every ones in a while, since
those certs actually expire at some point in time) and I don't see the real benefit users and the
ASF is getting out of that. If people want to sign their application, just let them also sign all
the other stuff along with it.
Hope this helps :)
Mvgr,
Martin
thanks
paul
Martin van den Bemt wrote:
Yep I used it on a regular base, although it's been a year or so,
since I last did this..
I just took the short path : (re) sign all the jars that go into a
webstarted application.
All signatures in a/each jnlp file should be the same. So eg if all
external dependencies are signed by the creator, you need to create a
seperate jnlp (include like) file per unique cert, which can kind of
suck from a release manager perspective.
So my preferred way is to just (re) sign everything with the same cert..
Mvgr,
Martin
Paul Libbrecht wrote:
Paul Libbrecht wrote:
I suppose that, with Java Web Start, the jar-signing mechanism may
request at least one authorization for each signing key...
Has anyone tested a java-web-start application where jars are from
different originators?
If, indeed as I fear, there are several requests for trust presented
to the user, I think ASF jar-signing would help nothing for JNLP
deployments...
paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]