Signing is a certification of origin that follows the artifact
around no matter where it goes...
I've just tried getting Jetty to sign there artifacts and it seems that external PGP signature is preferred way in the way more security constraint world of web servers. Actually signatures in MANIFEST.MF are considered harmful for some usecases . Please see
https://github.com/eclipse/jetty.project/issues/5898 for details.
(from there)
"If the eclipse-jarsigner-plugin modifies the META-INF/MANIFEST.MF with signatures, then this is undesired for general usage of our artifacts (there are enough projects that use Eclipse Jetty with bytecode manipulation where actually signed jar files do cause problems at the classloader)."
really? i have never heard of that.. isn't byte code manipulation done after the class that you manipulate is loaded through the classloader and checked? or are they saying if you generate fully new classes in memory with that package then you get that "different signagures of the same package" problem?
In many years i think we used byte code manipulation stuff (even currently i think in our eclipse product) and everything is signed but i never encountered any problem, so i really wonder if there is a unit test
If you do PGP external signatures, where do those external things come from when for example eclipse wants to update/install plugins (and it checks that kind of signature)? Do i need to have an internet connection?
