On 09/08/2016 18:29, Stefan Mayr wrote: > Hi, > > two colleagues came with an idea that our new java platform should only > run signed code. In the java world I've only seen signed java applets. > From a bit of internet research it looks like any JAR, WAR or EAR can be > signed with jarsigner (maybe all zip files?). > > Some sources indicate that this is supported or verified in WebLogic. So > how about Tomcat? Is there any verification of signed code or are there > any configuration flags to enable/enforce/disable this? > > I would guess the signature is ignored. Am I wrong?
You are correct. Signatures on a WAR will be ignored. https://bz.apache.org/bugzilla/show_bug.cgi?id=52489 I'm far from convinced that the proposed patch on that issue is sufficient. I'm also not convinced that there is a standard for signing WARs. Some authoritative references (i.e. to official Java SE or Java EE docs) would be very helpful. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
