Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Signing questions

 
Tom Landry
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If a jar file is signed for a web application at what level does the verification occur (web server, browser....)?

What does it look for? Does it verify that all components (CN, OU, O, L, ST, C) are all entered in?

How does it know that it is valid and tell the difference that some random person didn't sign it?
 
Campbell Ritchie
Sheriff
Posts: 48652
56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think this question is too difficult for us “beginners”, so I shall move it (I hope to the right place ‍).
 
Paul Clapham
Sheriff
Pie
Posts: 20964
31
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure what "verification" you are referring to but let me try answering that question assuming it means what I think it does.

When you create a certificate, you can put anything you like in those places. It's just information. No verification takes place, as far as I know. And if the jar is part of a web application, there's nothing to look at the certificate anyway. That would only happen when the Java environment on the client side had to use the jar file to run an applet or a Java Web Start application.

And if you were talking about the client-side situation, the verification is done by the user. The browser plugin pops up a security box saying "This application was signed by Tom Landry, do you want to run it?" and it's up to the user to say yea or nay to that.

That's if you create your own certificate and sign it. If you get a certificate from one of the companies that sell them, and use that to sign your jar, then the browsers already have that certificate in their trust store and they'll give you a much less scary security box.

Are we going in the right direction with that answer?
 
Tom Landry
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That actually does help.

I do recall running a application that was failing and after reviewing the error stack it stated the jar file was not signed.

If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?
 
Paul Clapham
Sheriff
Pie
Posts: 20964
31
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tom Landry wrote:If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?


Usually the client doing the verification is a human being. So it's up to that human to decide whether they approve of what they see of the signed jar.

If you're asking about a hypothetical situation where an application would (in an automated way) check whether a jar was signed or not, then presumably it was programmed to do that check. It may be that there was supposed to be a client certificate in place, or something like that, but that may or may not have anything to do with the situation you observed.
 
Christine Kasavetova
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Paul really useful post, thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic