jwall.org - Security
Since this is currently only a small project, I currently do not have an official CA certificate. However, I set up an internal authority for signing the web servers certificate for subversion-access https://secure.jwall.org (currently public access to the subversion repository is not allowed). My personal certificate is also signed by that CA.
There is a GPG public key available for sending encrytped mails and signing. The key is
has the ID
C5C3953C and is associated with the address
chris (at) jwall.org.
The CA certificate is available here:
The certificate's fingerprint is:
The CA's distinguished name is
C=DE, ST=NRW, O=jwall.org, OU=Security CN=ca.jwall.org/emailAddressemail@example.com
In todays times it has become quite common to download programs and libraries from the internet. Security of mobile code is an important issue since you are encouraged to only run code that is supposed to be clean and trustable.
For these reasons I will provide signed versions of the jars available from this site. Though you cannot really trust my CA certificate unless you verified it or have it checked against some authority that you trust (obtaining an officially signed CA certificate is a goal for me, though pending near the end of my todo-list), the signed jars are at least somewhat affiliated to this site. You can verify them by checking the archives against the CA certificate jwall-ca.pem, which is the same CA certificate that was used to sign the site-cert of https://secure.jwall.org.
The jars are signed using Sun's
keytool. The certificate that used for
digitally signing the released jar-files can be obtained here:
chris-jwall.org.pem. This certificate has
the following fingerprint:
The distinguished name is the same as the CA with different cannonical name (CN):
C=DE, ST=NRW, O=jwall.org, OU=Security CN=Christian Bockermann/emailAddressfirstname.lastname@example.org
Verifying the jar-Archives
The simplest way of verifying a signed archive without importing the above CA certificate
into you systems trusted certificate-cache is probably to create a small temporal
java-based keystore by importing the CA certificate into an emtpy one using the
keytool provided by SUN:
keytool -import -keystore jwall.keystore -file jwall-ca.pem
Next you are promtped for a password that is used for that keystore. You can now use
jarsigner tool that comes with your Java environment to verify a signed
archive as following (verifying the web-audit library in this example):
jarsigner -verify -keytore jwall.keystore org.jwall.web.audit-0.2.9-signed.jar