Could you load the classes in a secure loader and then try various methods - pulled out through reflection? Presumably you'd get an exception if you tried to execute a method in a secure environment when the class wasn't signed? Failing that is there anything in the bytecode, just read the correct segment of the class to discover if it's signed. How else would the VM know if the jar was signed without checking the classes?
Here are my current plans
-pull the declaration of <verifyjar>, tests, etc.
-I'd leave the code over in optional, always excluded, with a "here is why this is broken" comment. Its aim is to warn off others.
-Not attempt to use jar signing as a way of verifying JAR downloads in <libraries>; this was my plan.
Jar downloads could be verified by checksum though. Although the MD5 and SHA1 have been shown to be susceptible to brute-force attacks.
Kev
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
