Versions Compared

Old Version 20

changes.mady.by.user Stef Hummel

Saved on

compared with

New Version 21

changes.mady.by.user Rob Knapen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The standard is the only C# dll DLL and Java JAR that should be signed.

(warning) Rob will check out how to use public / private keys for the Java jar files.

(warning) Jesper will remove the keys from SourceForge.

There was an initial attempt to retrieve the private key used for signing the C# DLL but this did not appear to be possible (at least not in a trivial way). Since signing the DLL with a new key would mean having a new version of the DLL it was decided to sign the Java jar with a different key. Both key pairs will be kept by the chairman of the OATC.(warning) Jesper will remove the keys from SourceForge

Signing of the Java JAR file is possible using the keytool and jarsigner utilities from the JDK. A keystore (password-protected database) has to be created that holds the generated private key(s and certificates). Info from the keystore can than be used to sign the JAR and to export the public key that has to be published. For verification a user has to import the public key with the keytool and can then use jarsigner to verify the JAR. A certificate from a certification authority can be used for improved security.

Since the used .Net Strong Name Key was and is in a (public readable) SVN I think it should be considered "compromised" and not really suitable for authentication anymore. We probably have to discuss the whole signing issue and its purpose again at the next meeting before taking further steps.

3. Next Skype meetings

  • Topic IValueSet: next Thursday, 13.1. at 9:00 CET (8:00 UTC)
  • Regular meeting: Thursday, 20.1. at 9:00 CET (8:00 UTC)
  • Open SDK issues: Thursday, 27.1. at 10:00 CET (9:00 UTC)