Code signing [Was: JEP draft: Prepare to Restrict The Use of JNI]

[Alan Bateman]

On 06/09/2023 09:51, Mario Torre wrote:
> :
> Not answering for Andrew, but I think that tying access control to a
> cryptographically signed binary rather than a command line flag seems
> more robust, it shift the knowledge of the launcher (granting the
> privileges to the modules it knows) toward the actual library
> (granting the privileges to the modules that are signed), it also work
> well within FIPS environments since then additional restrictions can
> be implemented if necessary (like only trusting certain algorithms
> etc..).
>
> You are right it's a different kind of configuration, but it seems
> worthy of being considered.
>
Andrew is right that the JDK is waist deep in crypto but aside from 
validating signatories it doesn't have everything needed to ensure 
trust, at least not like the infrastructure that Java Web Start had in 
Oracle JDK to JDK 8.

Signing did come up in the previous commotion around taming agents but 
not seriously due to the challenges establishing trust, and all 
complexity and usability issues that go with signing. There were also 
concerns building open source projects that would need to be signed.

-Alan