I noticed that widget packaging uses XML signatures (notorious for
bugs in canonicalization/reserialization code) for signing zip files.
However, signing zip files has been solved long ago for Java jar
files. The mechanism or a variation of it is also used for Mozilla xpi
files and ODF documents.
Wouldn't it be simpler to use jar signing instead of inventing a new
way of signing zip files with implementation dependencies on XML
signatures and spec dependencies on XSD? (Why does the spec have
dependencies on XSD?)
Jar signing is pretty simple compared to XML canonicalization &
reserialization. When you need to reserialize XML, you import all the
troubles of serializing XML (see e.g. https://issues.apache.org/bugzilla/buglist.cgi?query_format=advanced&product=Security&component=Canonicalization&cmdtype=doit
). The META-INF folder is ugly, but unsigned widgets could omit it,
and it isn't much uglier than an XML signature file on the top level
of the zip archive.
--
Henri Sivonen
hsivo...@iki.fi
http://hsivonen.iki.fi/
