On Tuesday 20 February 2007, Warren Togami wrote: > > Perhaps a scheme like this would be acceptable: > 1) Spec file builds the JAR from sources. > 2) Uses some kind of intelligent compare algorithm to be sure that the > Java bytecode is truly identical to the signed JAR. > 3) ONLY IF THEY MATCH, then throw away the built copy and ship the > signed JAR. Interesting idea. > Now there are possible problems with this... > 1) How error-prone or even possible is it to make reproducible JAR files > that can compare in this way? Different compilers generate at least somewhat different bytecode, and chances that the compilers used by upstream and Fedora are different are very high. Perhaps decompiling the bytecode in both the upstream jar and the built jar and comparing those would yield better results, OTOH the compiler differences might be reflected in the decompiled code too. Hm, is there a Java decompiler included in Fedora? > Other question... > *Who* must sign the JAR file for it to be valid? For JCE providers for use with Sun's Java, and applies probably to BEA as well, dunno about others, one needs to have a code signing certificate issued by Sun's JCE code signing CA. http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205a -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
