'Re: [9] Review request: JDK-8169443 Deprecate Java Packager Blob Signing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-openjfx-dev
Subject:    Re: [9] Review request: JDK-8169443 Deprecate Java Packager Blob Signing
From:       Chris Bensen <chris.bensen () oracle ! com>
Date:       2016-12-14 0:27:09
Message-ID: 04315759-9323-4375-B5F7-961B87F61DC2 () oracle ! com
[Download RAW message or body]

The "new" was introduced for some reason in JDK 1.8 documentation but this has been \
there since JDK 1.0 documentation which I can't find but it's also there since JDK \
2.0 [1].

The deployment guide will be updated.

Chris

[1] http://docs.oracle.com/javafx/2/deployment/javafx_ant_task_reference001.htm \
<http://docs.oracle.com/javafx/2/deployment/javafx_ant_task_reference001.htm>


> On Dec 13, 2016, at 3:52 PM, Stefan Fuchs <snfuchs@gmx.de> wrote:
> 
> Well, in Java 8 <fx:signjar> is part of the javafx_ant_task reference [1]
> and advertised as being the new and more efficient way to sign jars [2]
> 
> Anyway, perhaps the deprecation message for <fx:signjar> could be enhanced to point \
> to https://ant.apache.org/manual/Tasks/signjar.html as the recommended way to sign \
> jars. The Deployment Guide should be updated as well.
> 
> - Stefan
> 
> 
> [1] http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/javafx_ant_task_reference.html#CIADDAEE
>  [2] http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/packaging.html#BABJGFBH
>  
> 
> 
> David DeHaven wrote:
> > This is only signing via the <fx:signjar> mechanism, which was never fully \
> > supported or part of any standard. To sign webstart applications (even FX apps) \
> > just use jarsigner or the associated ant signjar task. 
> > -DrD-
> > 
> > [1] https://ant.apache.org/manual/Tasks/signjar.html
> > 
> > > On Dec 13, 2016, at 11:02 AM, Stefan Fuchs <snfuchs@gmx.de> wrote:
> > > 
> > > Hi Chris,
> > > 
> > > well I think reason number 1 is not correct. The definition of self signed \
> > > depends on who created the signing key. If you created it yourself, it is a \
> > > self signed jar and will rightfully be blocked. If you however obtained the \
> > > signing key from a Certification Authority, that java accepts, it is not a self \
> > > signed jar and will not be blocked. This is a perfectly valid usecase for \
> > > fxsign jar. 
> > > For the 2nd reason: I don't think many users will go modular for Webstart \
> > > Applications. Normally you simply pack all your classes in a single big \
> > > jar-file (and perhaps a second, if you use a preloader). This avoids various \
> > > network round trips, when the application starts and makes deployment much \
> > > easier. 
> > > 
> > > Stefan
> > > 
> > > > Hi Stefan,
> > > > 
> > > > Yes, it is being deprecated. It will continue to function as it has. Two main \
> > > > reasons for the deprecation are: 
> > > > 1. Self signed jars are blocked and sign as blob is a self signed jars.
> > > > 
> > > > 2. There will be a replacement for modules that will be better.
> > > > 
> > > > Chris
> > > > 
> > > > 
> > > > > On Dec 12, 2016, at 11:56 PM, Stefan Fuchs <snfuchs@gmx.de> wrote:
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > so blog signing as deprecated.
> > > > > 
> > > > > What are the reasons for deprecating blog signing? Are there alternatives?
> > > > > How do I sign a webstart application?
> > > > > 
> > > > > Stefan
> > > > > 
> > > > > > David,
> > > > > > 
> > > > > > Please review these changes to deprecate the blob signing from the Java \
> > > > > > Packager. 
> > > > > > JIRA: https://bugs.openjdk.java.net/browse/JDK-8169443 \
> > > > > >                 <https://bugs.openjdk.java.net/browse/JDK-8169443>
> > > > > > Webrev: http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/ \
> > > > > > <http://cr.openjdk.java.net/~cbensen/JDK-8169443/webrev.00/> 
> > > > > > Chris
> > 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic