Thread: Availability of a Signed Version of postgresql.jar

Availability of a Signed Version of postgresql.jar

From
"Dario V. Fassi"
Date:
It's available a  Signed Version of   postgresql.jar  ?


Re: Availability of a Signed Version of postgresql.jar

From
Kris Jurka
Date:

On Thu, 8 Jul 2004, Dario V. Fassi wrote:

> It's available a  Signed Version of   postgresql.jar  ?
>

No, but why would you want one?  As I understand it signed jar files are
only useful in a sandboxed environment where access to protected resources
is desired.  The postgresql jar file itself is useless without an
application calling it so the application should include the
postgresql.jar file and be signed, not the pg jar file.

Further as the driver is maintained by unrelated volunteers there are
problems because no one individual is in charge of producing the jar
files and there is no certificate chain available from someone like
Verisign.

Kris Jurka

Re: Availability of a Signed Version of postgresql.jar

From
"Dario V. Fassi"
Date:
For "Trusted Java applications" and "J2EE Client applications"  , any jar deployed with (or part of)  the application must be signed.

For JavaWebStart applications , if you need to deploy the postgresql.jar as a component of the application , then must be signed, otherwise all the application is considered "Not trusted".

Of course , anyone can  sign postgresql.jar with their own  certificate (or self signed certificate),  but how in JavaWebStart the certificate is presented to the user for acceptance , will be better if the certificate belong to the official organization.

If the development group don't have a real certificate , since the development group is a non-profit organization, I think that Verising or any other certification authority can donate one.


Kris Jurka wrote:
On Thu, 8 Jul 2004, Dario V. Fassi wrote:
 
It's available a  Signed Version of   postgresql.jar  ?
   
No, but why would you want one?  As I understand it signed jar files are 
only useful in a sandboxed environment where access to protected resources 
is desired.  The postgresql jar file itself is useless without an 
application calling it so the application should include the 
postgresql.jar file and be signed, not the pg jar file.

Further as the driver is maintained by unrelated volunteers there are 
problems because no one individual is in charge of producing the jar 
files and there is no certificate chain available from someone like 
Verisign.

Kris Jurka

 

--

    Dario V. Fassi


SISTEMATICA ingenieria de software  srl
Ituzaingo 1628  (2000)  Rosario, Santa Fe, Argentina.
Tel / Fax:  +54 (341) 485.1432 / 485.1353



Re: Availability of a Signed Version of postgresql.jar

From
Kris Jurka
Date:

On Thu, 8 Jul 2004, Dario V. Fassi wrote:

> Of course , anyone can  sign postgresql.jar with their own  certificate
> (or self signed certificate),  but how in JavaWebStart the certificate
> is presented to the user for acceptance , will be better if the
> certificate belong to the official organization.

This makes sense, but isn't exactly an item that anyone else has been
begging for.  Does it matter which developer signs it?  Does it need to be
the same one every time?  If yes, then we don't have that infrastructure
available at the moment and I don't see how to build it given the
looseness of our organization.  If no, then why not just sign it yourself.
I guess I just fail to see the point of self signing.

> If the development group don't have a real certificate , since the
> development group is a non-profit organization, I think that Verising or
> any other certification authority can donate one.

I'll believe that when I see it.

Kris Jurka

Re: Availability of a Signed Version of postgresql.jar

From
"Chris Smith"
Date:
Kris Jurka wrote:
> This makes sense, but isn't exactly an item that anyone else has been
> begging for.  Does it matter which developer signs it?  Does it need
> to be the same one every time?  If yes, then we don't have that
> infrastructure available at the moment and I don't see how to build
> it given the looseness of our organization.  If no, then why not just
> sign it yourself. I guess I just fail to see the point of self
> signing.

One use of code-signing is to prevent the distribution of "fake" versions of
code.  *IF* the person using the code properly and conscientiously verifies
the signature on the code, then they can be sure that the signer signed the
exact copy they've received.  This protects against an attack whereby a web or
ftp server is compromised and people download versions of the driver with
trojan horses embedded... or even just where a trojan horse is distributed by
"back" channels aside from the web site.

For this purpose, any relatively trusted person who contributes to PostgreSQL
could grab the code, audit it for trojan horses, and then sign it.  The signed
version would prevent replacing the driver with an obvious trojan horse.
Nevertheless, since the code isn't really developed in a controlled "private"
environment to begin with, the signature would only mean that there aren't
obvious flaws.  In essense, it's no harder to postulate that someone
compromises the CVS server as that someone compromises a web or ftp server, so
some of the point is lost.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation