To sign a .jar with PGP
Nicolas BONARDELLE
cbonar at gmail.com
Tue Nov 30 22:57:30 CET 2004
Hi list,
I'm thinking about using Jar in a Java application I'm coding.
Not only as an archiving means, but also because it can be signed easily.
To make the long story short, the Jar archive would contain a text file, and
would be signed by everyone who enters in its possession and agrees with the
content of the text file. The signer would then distribute the newly signed
Jar to others.
Since I can't ask every user to get a X.509 certificate, the idea is to sign
the .jar with their PGP key by following exactly the Jar and Manifest
specifications (http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html).
Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by
default, and even that one can use its own algorithm.
However, I have a few problems :
1- I can't find any live example of Jar signed with PGP
2- can't even any info about doing it programmatically
3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys in
the .keystore (even if I ask him very kindly) so I can use it with the
'jarsigner' util :-[
So, a few questions that may protect me from doing naughty things :
1- am I totally nuts to want to do this ?
2- do you know a way to intrude my PGP key in the evil .keystore ?
3- do you know some application on the web (and open source preferably) using
PGP to sign Jar archives ?
cheers, cbonar
More information about the Gnupg-users
mailing list