What needs to be signed?

 

I'm deploying a JavaFX application and am not quite sure what does and doesn't need to be signed. Here are my thoughts:

- Installation file: This obviously needs to be signed.

- The EXE that launches the application: I believe this needs to be signed, although it feels a little bit funny because it isn't my code.

- My JAR files: I believe that these also need to be signed, although I'm not sure if anything terrible happens if I don't.

- Library JARs that I've grabbed off the internet: I don't feel like I should sign these. Is there any reason to?

- Java runtime: I'm guessing there's no reason to sign this, and I'd probably violate some agreement if I do.

- JNLP file: Not using this, no reason to touch this.

Have I looked at this properly? Am I signing the correct files?

A friend of mine has a saying " it's not what you did... it's what you can prove in court. "

With this respect, I advise you to look at this problem from a legal point of view and assume the worst possible context it can apply in; ie you becoming legally accountable after someone tampers with your software.

Digital signatures are designed especially for these types of problems.

With this respect, let's split your answer into 2 different classification parts:

  • the software you're releasing - includes your jars, jnlp, bundled .exes, etc.

  • all of these must be singed in order to ensure that you can't be affected by any unauthorized tempering with your own code. It doesn't matter whether or not you've released that jnlp. If someone generates an invasive one and it's traced back to you, your failure to authenticate your own released version of that jnlp will not be ok.

  • the software released by other people. - includes everything which you're using in order to get your system to work. (jre, libs)

  • when using something like this, it's a good idea to make sure you're using a genuine copy of whatever your lib manufacturer has released. Use their checksums/signatures/etc. to validate and verify their software integrity upon demand. You have to read their liability and disclaimer statements and in the event they fail to provide one themselves.

  • In general it is a good idea to place as little trust as possible when it comes to software sources other than yourself. Unfortunately, there are many compromised or malicious libs out there which are in fact security risks.

  • it is always a good idea to make sure you're releasing a downloaded lib which is certified by an external issuer and as such cannot be held responsible for any malicious code detected within.

    • To answer your question... it really depends on the client endpoint and the likelyhood of you getting sued for providing them with a security risk (i advise you to always expect this to be 100%). If you're liable for damages... you need to proceed accordingly.

    In short... the best possible answer to this quesiton is to do whatever is possible to cover yourself in the event the worst happens.

    Does your application need elevated privileges? If the installer is targeting Windows you wish to install the application to Program Files, then your installer will need to be signed. Without it, Windows will give a yellow banner during privilege escalation request.

    So - sign your installer.

    The exe that launches the application should ideally be signed as well. But for a java application, this is perhaps a mute point. Signing the exe is easy enough, that I'd just do it anyways.

    Sign launcher exe - Optional, but I'd do it

    Jar files. This is an interesting one and depends on what you goal is. Ie, the OS and the end user are probably not going to be aware of the signed or unsigned nature of your Jar. Therefore you will probably have to verify the integrity of the jar yourself. See https://docs.oracle.com/javase/tutorial/deployment/jar/signindex.html Perhaps the launcher application can perform the integrity checks before the launch step ?

    Library jars , Similar to the case above, if you want to make sure that no one has dropped in a diff jar into your application or some such use case, you will need to verify this yourself.

    Java Runtime If you shipping this, is this not already signed by Oracle or your JVM vendor ?

    链接地址: http://www.djcxy.com/p/92620.html

    上一篇: 如何定义程序的要求

    下一篇: 需要签署什么?