[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

On Wed, Aug 28, 2013 at 11:45:07PM -0400, Hans-Christoph Steiner wrote:
> I want to run an unusual idea by everyone here as an approach to getting an
> outside signature into a packaged Java jar built from source on the Debian
> build machines: we want to get http://martus.org packaged and into Debian.
> Martus is an app that has high requirements for security, so they have a very
> careful build and signing process.  They want to be able to include their jar
> signature in the jar that is included in the Debian package.

Is there a reason that it needs to be signed?  Will the server
software for instance reject in talking to client if the client
isn't signed?  I don't really see how it could do that.

The shipment of files in Debian already is being signed.  That is
you can be sure that the .deb file is really what is in Debian.
That however doesn't mean that someone might somehow have altered
the .jar file after installation.  But if they have altered the
.jar file, there is nothing that prevents from from altering
other files and I don't see how you prevent running an altered
the .jar file with the signature.  So I have to wonder what the
added benefit is of having those files checked in Debian.

I'm sure that it's very useful for checking what they ship
and that people can verify that what they downloaded was

It would also be useful if they could somehow make those
build reproducible, and so don't contain timestamps, so
that everybody can verify that that .jar file they ship
and the source match.


Reply to: