Re: signed jar in java library
> > Basically, the source of the Bouncy Castle Crypto libraries is
> > freely available, however the library jar file is signed by Bouncy
> > Castle, which is necessary for its use as a Java security provider.
>
> Bad.
>
> > As far as I can tell, in creating a Java library package, I want to
> > include all of the original source, but then distribute the signed jar
> > rather than rebuilding it from the source.
>
> I personally don't like it... but well, let's trust the Legion of the
> Bouncy Castle
The only options I can think of are to make multiple packages, some with
signed jars and some with unsigned jars, or to provide both jars in the
same package. Note that this is not just a matter of bein signed by the
Legion of the Bouncy Castle; the certificate they use was obtained
from "the JCE Code Signing Certification Authority" [1]. Being signed
allows Java to [2]trust the jar, in accordance with the privileges
associated with the trusted signer.
1. http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205
2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed
> > I have tried the various options I could think of, but wherever I try to
> > include the signed jar in the package, whether inside or outside of the
> > debian subdirectory, with or without a new jar directory, I get the
> > following error when I run dpkg-buildpackage:
>
> You can follow the advice of doogie, or you can also rebuild a
> semi-original tarball.
>
> Also, looking at #234048, your short description will be rejected by
> ftp-master. You also have to make good descriptions of all the binary
> packages that your source package will produce.
Yeah, I filed the initial bug imagining a single package, and then
realized that there are multiple packages distributed separately by
Bouncy Castle. My first thought was to create a different package for
each signed jar they provide on their download page. Is that the right
thing to do, or should I rather create a single package that provides
all of the jars? Or should I group together the 112, 113, and 114 jars
of the same type?
I've uploaded a first stab at packaging one of the jars to
mentors.debian.net, but it doesn't seem to be there yet. The package
name I uploaded is libbcprov-jdk14-java. I would love to get feedback on
it once it arrives.
> I'm not a guru in cryptography so I'd like to know the differences
> between Bouncy Castle Cryptography and Cryptix?
>
> Bouncy Castle Crypto APIs -- http://www.bouncycastle.org/
> Cryptix -- http://www.ntua.gr/cryptix/
They are very similar in nature. They do, of course have different
algorithms implemented. I started using Bouncy Castle because of their
Elliptic Curve Cryptogrophy implementation (including ECDSA,
specifically). Also, "Although primarily geared towards providing
alternative encryption algorithms for J2SE, the Legion has adapted some
of its code to work with J2ME. Specifically, parts of the Bouncy Castle
lightweight cryptography API work with both the CLDC and the CDC" [3].
3. http://java.sun.com/developer/J2METechTips/2001/tt1217.html
> Thanks for your time and help in Debian,
Thank you for your feedback. I hope to receive additional help as I iron
out the issues related to packaging Bouncy Castle.
Charles
--
Prize contest details
May be obtained
At football broadcast
Every Saturday
Over WCCO
Burma-Shave
http://frogcircus.org/burmashave/1933/prize_contest_details
Reply to: