Re: JCE Code Signing Certificate

[Florian Weimer <fw@deneb.enyo.de>]

* Charles Fry:

>> In the meantime, it occurred to me that the certified key (including
>> the private key) would have to be included in the source package,
>> otherwise the package would fail to build from source.
>> 
>> While I see nothing in Sun's form that requires us to keep the private
>> key secret, publishing it still not be such a good idea.
>
> The key must be kept secret, otherwise it can't be trusted (i.e. people
> could maliciously modify the code, and then sign their modifications).

And how would this be a problem?  Keep in mind that it's apparently
pretty easy to obtain your own certificate.

(That's part of the reason why I still wonder why this signature is
necessary.)