To sign a .jar with PGP

Nicolas BONARDELLE cbonar at gmail.com
Tue Nov 30 22:57:30 CET 2004


Hi list,

I'm thinking about using Jar in a Java application I'm coding.
Not only as an archiving means, but also because it can be signed easily.

To make the long story short, the Jar archive would contain a text file, and 
would be signed by everyone who enters in its possession and agrees with the 
content of the text file. The signer would then distribute the newly signed 
Jar to others.
Since I can't ask every user to get a X.509 certificate, the idea is to sign 
the .jar with their PGP key by following exactly the Jar and Manifest 
specifications (http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html).
Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by 
default, and even that one can use its own algorithm.

However, I have a few problems :
1- I can't find any live example of Jar signed with PGP
2- can't even any info about doing it programmatically
3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys in 
the .keystore (even if I ask him very kindly) so I can use it with the 
'jarsigner' util :-[

So, a few questions that may protect me from doing naughty things :

1- am I totally nuts to want to do this ?
2- do you know a way to intrude my PGP key in the evil .keystore ?
3- do you know some application on the web (and open source preferably) using 
PGP to sign Jar archives ?


cheers, cbonar



More information about the Gnupg-users mailing list