Support jar signing.
--------------------
Key: MNG-1130
URL: http://jira.codehaus.org/browse/MNG-1130
Project: Maven 2
Type: New Feature
Components: maven-jar-plugin
Versions: 2.0-beta-3
Environment: gentoo linux, jdk 1.4.2_06
Reporter: Corridor Software Developer
Attachments: mng-1130.tar.gz
The Java webstart framework requires that jars used by a webstart application
be signed.
Create a new goal on the maven jar plugin called jar:sign. The goal would take a keystore file as input and sign the project artifact prior to installing it to the local repository or deploying it to the repo.
The plugin should also allow a specific dependency or dependencies, as well as it's runtime dependencies to be signed.
This functionality is required prior to finishing the webstart-maven-plugin.
Two example test projects will be attached to the ticket shortly.
this is just a heads upm that I believe signed JNLP JAR files are
vulnerable to attack, because the jnlp descriptor itself is not
authenticated, and runs any main class in the entire suite of JARs. So
you need to be sure that all JARs that you sign do not contain static
main methods, or any of them can run on the users's box with the rights
you are granted. Not good.
I dont have a proof of concept yet, but am starting to code the tool to
search a jar for entry points for this very reason; then parse a jnlp to
look for back doors in its jars. I currently do not consider signing and
distributing any third party apps a sensible action.
-Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
