To sign a .jar with PGP
hmujtaba at forumsys.com
Wed Dec 1 00:23:33 CET 2004
Take a look at BouncyCastle's Java OpenPGP provider
(www.bouncycastle.org). It explains with examples how to sign files
using PGP keys. And it might even give you a PGP to X.509 converter
class which you can use to store your PGP keys in a Java KeyStore.
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nicolas BONARDELLE
Sent: Tuesday, November 30, 2004 4:58 PM
To: gnupg-users at gnupg.org
Subject: To sign a .jar with PGP
I'm thinking about using Jar in a Java application I'm coding.
Not only as an archiving means, but also because it can be signed
To make the long story short, the Jar archive would contain a text file,
would be signed by everyone who enters in its possession and agrees with
content of the text file. The signer would then distribute the newly
Jar to others.
Since I can't ask every user to get a X.509 certificate, the idea is to
the .jar with their PGP key by following exactly the Jar and Manifest
Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by
default, and even that one can use its own algorithm.
However, I have a few problems :
1- I can't find any live example of Jar signed with PGP
2- can't even any info about doing it programmatically
3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys
the .keystore (even if I ask him very kindly) so I can use it with the
'jarsigner' util :-[
So, a few questions that may protect me from doing naughty things :
1- am I totally nuts to want to do this ?
2- do you know a way to intrude my PGP key in the evil .keystore ?
3- do you know some application on the web (and open source preferably)
PGP to sign Jar archives ?
Gnupg-users mailing list
Gnupg-users at gnupg.org
More information about the Gnupg-users