Subject: jar format reference (Re: adding gpg to src/gnu/dist)
To: Daniel Carosone <dan@geek.com.au>
From: Daniel Carosone <dan@geek.com.au>
List: tech-security
Date: 05/19/2004 11:11:26
--Xsn3knLL3qrmRbVI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, May 18, 2004 at 12:00:41PM +1000, Daniel Carosone wrote:
> [.jar format]
>
> We could adopt that directly, or use the same kind of techniques in a
> tar container - either way, the mechanism used in that format to
> present file signatures is quite elegant and convenient for working
> with unixy scripty type tools. Certainly informative and worth a look.

For reference, a useful plain-english overview of the technique:

 http://java.sun.com/docs/books/tutorial/jar/sign/intro.html

The essential point is that the signature is data within the archive,
rather than an encapsulation over it.  There's a file that's similar
to our MD5SUMS file in the metadata directory, and a signature file
over that.  Those can be added, and the file re-zipped, and the
contents will still validate.

If we established filename conventions that allowed multiple signature
files to be added to the archive independantly, we'd have something
very useful indeed.  This is what I'd need, as a local administrator,
to "bless" specific 3rd-party packages for automated local
installation/distribution.

--
Dan.
--Xsn3knLL3qrmRbVI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAqrQ+EAVxvV4N66cRAnZfAKD0+BQCBUDtULS7bc6zPsUeHJVrTQCfU84d
MDtHPRVH7IS8/WwM7D+jMds=
=9YKy
-----END PGP SIGNATURE-----

--Xsn3knLL3qrmRbVI--