Re: Code signing WAR and verification
On 14 February 2017 13:55:33 GMT+00:00, ramnar wrote: >Is this feature implemented in tomcat 8 or still in pipeline https://bz.apache.org/bugzilla/show_bug.cgi?id=52489 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Code signing WAR and verification
Is this feature implemented in tomcat 8 or still in pipeline -- View this message in context: http://tomcat.10.x6.nabble.com/Code-signing-WAR-and-verification-tp5053711p5060436.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Code signing WAR and verification
Am 09.08.2016 um 19:48 schrieb Mark Thomas: On 09/08/2016 18:29, Stefan Mayr wrote: Hi, two colleagues came with an idea that our new java platform should only run signed code. In the java world I've only seen signed java applets. From a bit of internet research it looks like any JAR, WAR or EAR can be signed with jarsigner (maybe all zip files?). Some sources indicate that this is supported or verified in WebLogic. So how about Tomcat? Is there any verification of signed code or are there any configuration flags to enable/enforce/disable this? I would guess the signature is ignored. Am I wrong? You are correct. Signatures on a WAR will be ignored. https://bz.apache.org/bugzilla/show_bug.cgi?id=52489 I don't see a signature verification in the patch. But from the description it might be enough to trigger the SecurityManager somehow. I'm far from convinced that the proposed patch on that issue is sufficient. I'm also not convinced that there is a standard for signing WARs. Some authoritative references (i.e. to official Java SE or Java EE docs) would be very helpful. Mark Specs are hard to find. For jars a nice description can be found in [1]. The servlet spec [2] mentions that "Web applications can be packaged and signed into a Web ARchive format (WAR) file using the standard Java archive tools." But when I ran over the servlet spec I did not find a description how the servlet container should handle signed war files. Or is this delegated to the security manager? This is still a mystery to me. Especially when I think of think of JSPs and their on-demand compilation. What can be the magic phrase we should look for? Stefan Mayr [1] http://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File [2] http://download.oracle.com/otndocs/jcp/servlet-2.4-fr-spec-oth-JSpec/ see SRV.9.6 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Code signing WAR and verification
On 09/08/2016 18:29, Stefan Mayr wrote: > Hi, > > two colleagues came with an idea that our new java platform should only > run signed code. In the java world I've only seen signed java applets. > From a bit of internet research it looks like any JAR, WAR or EAR can be > signed with jarsigner (maybe all zip files?). > > Some sources indicate that this is supported or verified in WebLogic. So > how about Tomcat? Is there any verification of signed code or are there > any configuration flags to enable/enforce/disable this? > > I would guess the signature is ignored. Am I wrong? You are correct. Signatures on a WAR will be ignored. https://bz.apache.org/bugzilla/show_bug.cgi?id=52489 I'm far from convinced that the proposed patch on that issue is sufficient. I'm also not convinced that there is a standard for signing WARs. Some authoritative references (i.e. to official Java SE or Java EE docs) would be very helpful. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Code signing WAR and verification
Hi, two colleagues came with an idea that our new java platform should only run signed code. In the java world I've only seen signed java applets. From a bit of internet research it looks like any JAR, WAR or EAR can be signed with jarsigner (maybe all zip files?). Some sources indicate that this is supported or verified in WebLogic. So how about Tomcat? Is there any verification of signed code or are there any configuration flags to enable/enforce/disable this? I would guess the signature is ignored. Am I wrong? Thank you, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
