英文:
JAR signing stops someone from modifying a JAR, but what stops someone from swapping the JAR with their own that they've signed, or is unsigned?
问题
我有一个Java桌面应用程序。我正在下载并动态运行JAR文件。 JAR签名可以保护免受他人修改我下载的JAR文件。但是,如何验证我的应用程序只运行我签名的JAR文件?
如果不确保我运行的所有JAR文件都是由我签名的,那么对于桌面应用程序来说,JAR签名是否仍然不安全?
英文:
I have a Java desktop application. I'm downloading and dynamically running JAR files. JAR signing protects me from someone modifying the JAR file that I've downloaded. How would I verify that my application only runs JARs that I've signed though?
Without ensuring that all JARs I'm running are signed by me, then isn't JAR signing still insecure for desktop use?
答案1
得分: 1
JAR签名是关于由运行应用程序的人验证它自从签名以来是否已被修改。此外,基于证书,您可以检查谁签署了它。
它不保护允许应用程序的人修改:他们可以删除签名,或者他们可以自己签名,如果您的应用程序中有代码来验证签名,他们还可以替换该代码以执行无验证或验证其证书。
换句话说,是的,你说得对,它不会保护您免受您所考虑的情况。它也不是为那种情况而设计的(即,它不是数字版权管理的一种形式)。
是否认为它适用于桌面使用,再次取决于运行应用程序的个人/公司。他们可以配置其安全策略,以仅接受某些签名证书。
您可能还想阅读Java教程签署和验证JAR文件,特别是了解签名和验证章节。
英文:
JAR signing is about verification by the one running the application that it hasn't been modified since it was signed. In addition, based on the certificate, you can check who signed it.
It does not protect against modification by the one running the application: they can strip out the signature, or they can sign it themselves, and if you have code in your application to verify the signature, they can also replace that code to perform no verification or verify against their certificate.
In other words, yes, you're right, it doesn't protect you from the scenario you have in mind. It is also not intended for that scenario (as in, it is not a form of DRM).
Whether or not you consider it safe for desktop use is, again, up to the person/company running the application. They can configure their security policy in such way to accept only certain signing certificates.
You may also want to read the Java tutorial Signing and Verifying JAR Files, especially the chapter Understanding Signing and Verification.
答案2
得分: -2
更新您的Java客户端应用程序以使用Java网络启动协议(JNLP),如在"Java Web Start"框架中实现的,将解决您的问题。 JNLP最初是在Java 1.8中实现的,不包括在OpenJDK中。 但您可以在OpenJDK 11及更高版本中使用它,通过引入开源包OpenWebStart。
对于每个应用程序,您需要创建一个带有JNLP扩展名的XML文件,用户将运行该文件,而不是直接执行jar文件。 然后,JNLP将下载这些jar文件并安全地代表用户执行它们。
为确保您的jar文件没有被篡改,您需要使用Java的jarsigner实用程序对它们进行签名,如此Stack Overflow帖子所述。
为了建立对您的代码签名证书的信任,OpenWebStart提供了一种将您的代码签名证书PFX文件导入到受信任的证书存储库的方法,如用于OpenWebStart的证书导入。
在运行时,JNLP仅执行它下载到本地缓存的jar文件,并确保它们带有受信任的代码签名。 这将保护您的jar文件免受篡改。
英文:
Updating your Java client applications to use Java Network Launch protocol (JNLP), as implemented with the "Java Web Start" framework, would address you concerns. JNLP, originally implemented in Java 1.8, is not included in the OpenJDK. But you can use it with OpenJDK 11 and higher by incorporating the open source package OpenWebStart.
For each application, you would author an XML file with a JNLP extension which your users would run instead of executing jars directly. JNLP will then download the jars and executes them securely on the user's behalf.
To ensure that your jar files are not tampered with, you will need to sign them with a code signing certificate using Java's jarsigner utility as described on this SO posting:
Signing a jar file with trusted certificate for JWS deployment
To establish trust of your code signing certificate, OpenWedStart provides a way to import your code signing certificate PFX file to a trusted certificate store:
Importing certificates for use with OpenWebStart
At runtime, JNLP executes only jars that it downloads to its local cache and ensures they are signed with a trusted code signing signature. And that will protect your jars from tampering.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论