Paul Libbrecht wrote:
To me this just means that the signature is, for JNLP deployers, a job of the deployer, or the end-developer and that a signature of Apache Foundation would not help.
Correct with that ?

From my point of view you are correct, though my opinion is not necessarily the opinion of everyone else.

Can you tell a bit more ?
E.g. is there a comparison between the fields of the JNLP and the fields of the certificate?

I don't know of the internals of webstart on how it checks the certs in the jars
Assume you have one jnlp file. The webstart client assumes that ALL jars are signed with the same cerficate, else it will stop with an error. This it to prevent users having to accept different certifacates. A way to use eg apache signed jars, is to add an "extension" jnlp file in the main jnlp file. There is one rule though : The extensions may not contain code from the same packages as contained in the main (I don't know the exact rules for this, but that is probably in the jnlp spec).

In short : it gives the ASF extra burden to sign the jars (and release every ones in a while, since those certs actually expire at some point in time) and I don't see the real benefit users and the ASF is getting out of that. If people want to sign their application, just let them also sign all the other stuff along with it.

Hope this helps :)

Mvgr,
Martin


thanks

paul

Martin van den Bemt wrote:

Yep I used it on a regular base, although it's been a year or so, since I last did this.. I just took the short path : (re) sign all the jars that go into a webstarted application. All signatures in a/each jnlp file should be the same. So eg if all external dependencies are signed by the creator, you need to create a seperate jnlp (include like) file per unique cert, which can kind of suck from a release manager perspective.
So my preferred way is to just (re) sign everything with the same cert..


Mvgr,
Martin

Paul Libbrecht wrote:

Paul Libbrecht wrote:

I suppose that, with Java Web Start, the jar-signing mechanism may request at least one authorization for each signing key...



Has anyone tested a java-web-start application where jars are from different originators? If, indeed as I fear, there are several requests for trust presented to the user, I think ASF jar-signing would help nothing for JNLP deployments...

paul



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to