What is the point of signing your code like Java's jars when everyone can do it with jarsigner? How does it provide security?
+9
A:
The point of signing a JAR file is to verify that it has not been tampered with. Once a jar file is signed you can verify that this file hasn't been modified by someone else. This ensures that the file originates from the person that originally signed it. If someone has modified the file in-between the signature verification process will fail. You may check this article for more details on how public key cryptography could be used to perform digital signature.
Darin Dimitrov
2010-07-24 21:39:53
+5
A:
When you sign a jar file you can show that it was you that signed it and not someone else.
It's the same idea when you sign a document - only you can write your signature. Other people can sign it, but they'll sign it with their signature, not yours.
With hand-written signatures a skilled forger can learn to copy your signature. With digital signatures it is much more difficult to make a copy because you need to get that person's private key. Without the private key you cannot make a signature that looks like theirs.
Mark Byers
2010-07-24 21:40:15
+4
A:
Signing a jar ties the contents back to a particular certificate. So what is that certificate proving?
If the private key for the certificate has been stolen, then not very much. There are tamper-proof devices for keeping private keys. However, often private keys often lie about on developer machines. Those machines are probably not well protected.
A certificate may itself be signed by a well known Certificate Authority (CA). So the end-user has some confidence that content has the claimed origin. The amount of verification that the certificate key holder is who they claim to be varies. This has led to a race-to-the-bottom where CAs simplify procedures to offer lower prices.
Even for unverified certificates, different content signed with the same certificate shows a common origin. So if you make a decision to trust a certificate, you can receive more content from the same origin without trusting anyone else.
Tom Hawtin - tackline
2010-07-24 22:12:25
You mean private key, not certificate, in most of the above.
EJP
2010-07-25 01:06:07
@EJP Certificate as including the private key? The signing mechanism of trust is not really my speciality.
Tom Hawtin - tackline
2010-07-25 11:28:41
You have a certificate, which is public and contains the public key, and a private key. In a Java keystore the private key is also wrapped in a cert but that's just an implementation detail, it never comes out like that, and you would be concerned primarily about theft of the entire keystore, or (somehow) the private key. Talking about theft of certs doesn't make sense, they are public.
EJP
2010-07-25 22:32:44
@EJP Makes sense. Although I think the common in parlance is to say signed with a certificate.
Tom Hawtin - tackline
2010-07-26 00:09:12
You provide the public certificate with the signature so it can be verified; i.e. you provide the public key so it can be used to verify the signature you creataed with the private key; and you provide the cert so that identity can be established. Loss of that certificate is immaterial because it doesn't contain the private key so the theief can't create more signatures with it, i.e. foge your identity.
EJP
2010-07-26 04:27:07