Thread: Availability of a Signed Version of postgresql.jar
It's available a Signed Version of postgresql.jar ?
On Thu, 8 Jul 2004, Dario V. Fassi wrote: > It's available a Signed Version of postgresql.jar ? > No, but why would you want one? As I understand it signed jar files are only useful in a sandboxed environment where access to protected resources is desired. The postgresql jar file itself is useless without an application calling it so the application should include the postgresql.jar file and be signed, not the pg jar file. Further as the driver is maintained by unrelated volunteers there are problems because no one individual is in charge of producing the jar files and there is no certificate chain available from someone like Verisign. Kris Jurka
For "Trusted Java applications" and "J2EE Client applications" , any jar deployed with (or part of) the application must be signed.
For JavaWebStart applications , if you need to deploy the postgresql.jar as a component of the application , then must be signed, otherwise all the application is considered "Not trusted".
Of course , anyone can sign postgresql.jar with their own certificate (or self signed certificate), but how in JavaWebStart the certificate is presented to the user for acceptance , will be better if the certificate belong to the official organization.
If the development group don't have a real certificate , since the development group is a non-profit organization, I think that Verising or any other certification authority can donate one.
Kris Jurka wrote:
Dario V. Fassi
SISTEMATICA ingenieria de software srl
Ituzaingo 1628 (2000) Rosario, Santa Fe, Argentina.
Tel / Fax: +54 (341) 485.1432 / 485.1353
For JavaWebStart applications , if you need to deploy the postgresql.jar as a component of the application , then must be signed, otherwise all the application is considered "Not trusted".
Of course , anyone can sign postgresql.jar with their own certificate (or self signed certificate), but how in JavaWebStart the certificate is presented to the user for acceptance , will be better if the certificate belong to the official organization.
If the development group don't have a real certificate , since the development group is a non-profit organization, I think that Verising or any other certification authority can donate one.
Kris Jurka wrote:
On Thu, 8 Jul 2004, Dario V. Fassi wrote:It's available a Signed Version of postgresql.jar ?No, but why would you want one? As I understand it signed jar files are only useful in a sandboxed environment where access to protected resources is desired. The postgresql jar file itself is useless without an application calling it so the application should include the postgresql.jar file and be signed, not the pg jar file. Further as the driver is maintained by unrelated volunteers there are problems because no one individual is in charge of producing the jar files and there is no certificate chain available from someone like Verisign. Kris Jurka
--
Dario V. Fassi
SISTEMATICA ingenieria de software srl
Ituzaingo 1628 (2000) Rosario, Santa Fe, Argentina.
Tel / Fax: +54 (341) 485.1432 / 485.1353
On Thu, 8 Jul 2004, Dario V. Fassi wrote: > Of course , anyone can sign postgresql.jar with their own certificate > (or self signed certificate), but how in JavaWebStart the certificate > is presented to the user for acceptance , will be better if the > certificate belong to the official organization. This makes sense, but isn't exactly an item that anyone else has been begging for. Does it matter which developer signs it? Does it need to be the same one every time? If yes, then we don't have that infrastructure available at the moment and I don't see how to build it given the looseness of our organization. If no, then why not just sign it yourself. I guess I just fail to see the point of self signing. > If the development group don't have a real certificate , since the > development group is a non-profit organization, I think that Verising or > any other certification authority can donate one. I'll believe that when I see it. Kris Jurka
Kris Jurka wrote: > This makes sense, but isn't exactly an item that anyone else has been > begging for. Does it matter which developer signs it? Does it need > to be the same one every time? If yes, then we don't have that > infrastructure available at the moment and I don't see how to build > it given the looseness of our organization. If no, then why not just > sign it yourself. I guess I just fail to see the point of self > signing. One use of code-signing is to prevent the distribution of "fake" versions of code. *IF* the person using the code properly and conscientiously verifies the signature on the code, then they can be sure that the signer signed the exact copy they've received. This protects against an attack whereby a web or ftp server is compromised and people download versions of the driver with trojan horses embedded... or even just where a trojan horse is distributed by "back" channels aside from the web site. For this purpose, any relatively trusted person who contributes to PostgreSQL could grab the code, audit it for trojan horses, and then sign it. The signed version would prevent replacing the driver with an obvious trojan horse. Nevertheless, since the code isn't really developed in a controlled "private" environment to begin with, the signature would only mean that there aren't obvious flaws. In essense, it's no harder to postulate that someone compromises the CVS server as that someone compromises a web or ftp server, so some of the point is lost. -- www.designacourse.com The Easiest Way to Train Anyone... Anywhere. Chris Smith - Lead Software Developer/Technical Trainer MindIQ Corporation