On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says "signature could be omitted if quick update is needed"… What's the point having signed JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or you don't use signed JAR at all…
It leaves that decision of whether to run with the unsigned jar up to the user. I think this is a reasonable solution if it works in practice, and is similar in concept to what the openssl folks have done for FIPS validation.
Description: Digital signature