Results 1 to 5 of 5

Thread: Acegi Jar is Unsigned

  1. Aug 22nd, 2006, 11:40 AM #1
    kcflyer
    kcflyer is offline Member
    Join Date
    Jun 2006
    Location
    Kansas City
    Posts
    95

    Exclamation Acegi Jar is Unsigned

    I downloaded acegi-security-1.0.1.zip from the Minneapolis mirror. When I ran

    jarsigner -verify -verbose -certs acegi-security-1.0.1.jar, I got the following message:

    jar is unsigned. (signatures missing or not parsable)

    I get the same result from the Phoenix mirror. Did someone forget to sign the jar, or is something fishy going on?
  2. Aug 22nd, 2006, 03:46 PM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    The Jar isn't signed, but Carlos provided a PGP signature when he did the release:

    http://acegisecurity.sourceforge.net...ecurity/1.0.1/
  3. Aug 23rd, 2006, 09:37 AM #3
    kcflyer
    kcflyer is offline Member
    Join Date
    Jun 2006
    Location
    Kansas City
    Posts
    95

    Default

    The readme says,

    "We strongly recommend that you verify the integrity of the JAR files included
    in this release. You can do so using the following command:

    "jarsigner -verify -verbose -certs jar_file_name"

    Of course, replace the jar_file_name with "acegi-security-XXXXX.jar" or the
    appropriate path to the Acegi Security JAR to be validated.

    Until further notice, all Acegi Security official releases are signed by:

    X.509, EMAILADDRESS=ben.alex@acegi.com.au, CN=Benjamin Peter Alex, GIVENNAME=Benjamin Peter, SURNAME=Alex
    X.509, CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA -->

    If the above certificate was not used, or the JAR was not validated, DO NOT
    USE THE JAR. Please email the acegisecurity-developers list (contact details
    are provided below) for further assistance."

    If this policy has been changed, the documentation needs to be updated. I'd like to use Acegi, but I want to be sure that no malicious third party has modified the security framework I'm using in my application.
  4. Aug 23rd, 2006, 02:38 PM #4
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    You are right, the docs should be changed. Thanks for pointing this out.

    If this policy has been changed, the documentation needs to be updated. I'd like to use Acegi, but I want to be sure that no malicious third party has modified the security framework I'm using in my application.
    The malicious third party could also have modified any of the third-party jars used by acegi, your application and application server, so the risk is arguably still present even if you are using one of the signed jars.
    Last edited by Luke Taylor; Aug 25th, 2006 at 02:05 PM.
  5. Aug 24th, 2006, 10:17 AM #5
    kcflyer
    kcflyer is offline Member
    Join Date
    Jun 2006
    Location
    Kansas City
    Posts
    95

    Default

    So how do we use the PGP signature to verify integrity?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules