Re: JCE Code Signing Certificate
* Charles Fry:
>> In the meantime, it occurred to me that the certified key (including
>> the private key) would have to be included in the source package,
>> otherwise the package would fail to build from source.
>>
>> While I see nothing in Sun's form that requires us to keep the private
>> key secret, publishing it still not be such a good idea.
>
> The key must be kept secret, otherwise it can't be trusted (i.e. people
> could maliciously modify the code, and then sign their modifications).
And how would this be a problem? Keep in mind that it's apparently
pretty easy to obtain your own certificate.
(That's part of the reason why I still wonder why this signature is
necessary.)
Reply to: