Code signing [Was: JEP draft: Prepare to Restrict The Use of JNI]

Attila Kelemen attila.kelemen85 at gmail.com
Fri Sep 8 19:51:46 UTC 2023


>
> > In fact, it might even tells you more, because if not any manifest entry
> can be used, then you could tell from the presence of the manifest entry
> that people considered that these properties will be used for access rights
> (unlike signatures, because all libraries in Maven central are signed).
>
> I can't understand the meaning of this sentence.
>
> It's not necessary to trust the Maven central signature.
>

Basically I just meant that having a signature is a pretty low bar (because
100% of the libs in Maven Central have it). I'm not trying to imply that
you thought it is a high bar, just wanted to clarify, if someone considered
that a bonus. And that having manifest entries specifically added for the
purpose of granting native access based on them is a higher bar, because it
requires more conscious consideration from the library. That is, it is not
just there by chance like a signature.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20230908/69377b7c/attachment.htm>


More information about the jdk-dev mailing list