jpkg should be able to sign an existing module file
Mandy Chung
mandy.chung at oracle.com
Fri Apr 22 14:05:54 PDT 2011
On 4/22/11 1:04 PM, Sean Mullan wrote:
> Currently, jpkg can create a signed module file from a module library,
> but it cannot take an existing module file and apply a signature to
> it. That's an important use case that is missing, and being able to
> separate these tasks is essential in situations where the signing
> needs to be done independently or by some other entity. For example,
> the signing key may reside on a different machine, or the signer may
> be in a different organization, etc.
>
> In fact, I would like to make an argument that we should only support
> the latter case, that is that jpkg --sign only applies to existing
> module files. In other words, signing a file is a 2 step process,
> first you run "jpkg ... <module_name>" to create the module file, then
> you run "jpkg --sign ... <module_file>" to apply a signature to it.
> This would also simplify the jpkg CLI, as there would be fewer options
> to parse when signing and breaking them up into subcommands makes it
> easier to understand.
>
> Comments?
>
I agree that jpkg should support signing of an existing module file. I
would imagine that developers would build and test unsigned version of
their module file and the makefile would support signing of the module
file built from the same build logic. If signing is typically done by
another entity or on a different machine, making it a 2 step process
sounds reasonable to me.
Mandy
More information about the jigsaw-dev
mailing list