Announcement Announcement Module
Collapse
No announcement yet.
Acegi Jar is Unsigned Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi Jar is Unsigned

    I downloaded acegi-security-1.0.1.zip from the Minneapolis mirror. When I ran

    jarsigner -verify -verbose -certs acegi-security-1.0.1.jar, I got the following message:

    jar is unsigned. (signatures missing or not parsable)

    I get the same result from the Phoenix mirror. Did someone forget to sign the jar, or is something fishy going on?

  • #2
    The Jar isn't signed, but Carlos provided a PGP signature when he did the release:

    http://acegisecurity.sourceforge.net...ecurity/1.0.1/

    Comment


    • #3
      The readme says,

      "We strongly recommend that you verify the integrity of the JAR files included
      in this release. You can do so using the following command:

      "jarsigner -verify -verbose -certs jar_file_name"

      Of course, replace the jar_file_name with "acegi-security-XXXXX.jar" or the
      appropriate path to the Acegi Security JAR to be validated.

      Until further notice, all Acegi Security official releases are signed by:

      X.509, EMAILADDRESS=[email protected], CN=Benjamin Peter Alex, GIVENNAME=Benjamin Peter, SURNAME=Alex
      X.509, CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA -->

      If the above certificate was not used, or the JAR was not validated, DO NOT
      USE THE JAR. Please email the acegisecurity-developers list (contact details
      are provided below) for further assistance."

      If this policy has been changed, the documentation needs to be updated. I'd like to use Acegi, but I want to be sure that no malicious third party has modified the security framework I'm using in my application.

      Comment


      • #4
        You are right, the docs should be changed. Thanks for pointing this out.

        If this policy has been changed, the documentation needs to be updated. I'd like to use Acegi, but I want to be sure that no malicious third party has modified the security framework I'm using in my application.
        The malicious third party could also have modified any of the third-party jars used by acegi, your application and application server, so the risk is arguably still present even if you are using one of the signed jars.
        Last edited by Luke Taylor; Aug 25th, 2006, 03:05 PM.

        Comment


        • #5
          So how do we use the PGP signature to verify integrity?

          Comment

          Working...
          X