What's the point of signing code, like jars?

2019-03-14 10:59发布

问题:

What is the point of signing your code like Java's jars when everyone can do it with jarsigner? How does it provide security?

回答1:

The point of signing a JAR file is to verify that it has not been tampered with. Once a jar file is signed you can verify that this file hasn't been modified by someone else. This ensures that the file originates from the person that originally signed it. If someone has modified the file in-between the signature verification process will fail. You may check this article for more details on how public key cryptography could be used to perform digital signature.



回答2:

When you sign a jar file you can show that it was you that signed it and not someone else.

It's the same idea when you sign a document - only you can write your signature. Other people can sign it, but they'll sign it with their signature, not yours.

With hand-written signatures a skilled forger can learn to copy your signature. With digital signatures it is much more difficult to make a copy because you need to get that person's private key. Without the private key you cannot make a signature that looks like theirs.



回答3:

Signing a jar ties the contents back to a particular certificate. So what is that certificate proving?

If the private key for the certificate has been stolen, then not very much. There are tamper-proof devices for keeping private keys. However, often private keys often lie about on developer machines. Those machines are probably not well protected.

A certificate may itself be signed by a well known Certificate Authority (CA). So the end-user has some confidence that content has the claimed origin. The amount of verification that the certificate key holder is who they claim to be varies. This has led to a race-to-the-bottom where CAs simplify procedures to offer lower prices.

Even for unverified certificates, different content signed with the same certificate shows a common origin. So if you make a decision to trust a certificate, you can receive more content from the same origin without trusting anyone else.