Code signing [Was: JEP draft: Prepare to Restrict The Use of JNI]

[Andrew Haley]

On 9/7/23 14:48, Attila Kelemen wrote:
> What I meant is that the signature itself is not that important, what is important is that you can reliably identify a library.

This is true. Signing a library is merely a way of marking it as good.
(Clearly the word "trusted" is problematic. I might just as well say
"yellow".)

> However, you don't really need all the guarantees a signature gives you for this. It is enough, if you read some properties from the manifest like vendor, etc. and trust it.

Indeed, but this is a rather fragile mechanism. A checksum over the whole
library is less fragile.

> In fact, it might even tells you more, because if not any manifest entry can be used, then you could tell from the presence of the manifest entry that people considered that these properties will be used for access rights (unlike signatures, because all libraries in Maven central are signed).

I can't understand the meaning of this sentence.

It's not necessary to trust the Maven central signature.

-- 
Andrew Haley  (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671