the features are available when jar files are signed with the same
signature.
However if you are new to digital signing process, it can be a bit confusing.
Here are some notes I have kept to clarify the digital signing process
by drawing parallels to physical world signatures. I hope these notes
help clarify the mental picture of signing digitally.
You can see the write up at
http://www.satyakomatineni.com/akc/display?url=DisplayNoteIMPURL&reportId=3493&ownerUserId=satya
For a quick read, here is the same material repeated in text format
*******************************************
Understanding self signed jar files
*******************************************
It is often, occasionally followed by a wave of hand, that one advises
or talks of "jar" (packaged java files that makes up an application or
module) files as being signed.
Few times we ask back: "What do you mean by signed"?
What does it mean for a jar file to be signed?
Does this signing has parallels to how we sign physical documents? Do
they differ? How do they differ if they do?
How do you establish a "pattern? of understanding for digital
signatures so that you treat the subject abstractly just like when
someone says they signed a physical document?
*******************************************
Understanding first: Wine collector and his caskets of wine
*******************************************
Imagine you are a wine collector located in a very un-wine-like place
such as Sahara desert. And farmers around the world are sending you
wine caskets either to archive sell etc. For a moment think that they
are not doing it for money. So they will not expecting anything in
return.
What the wine collector notices is that each casket he receives and
the wine inside it has a specific hue and color that is distinct from
another. On further investigation she finds out that if two caskets or
wine inside them has the same hue then it ALWAYS comes from the same
farmer. On digging further the collector finds out that each farmer
has a "SECRET HUE RECIPE? that she locks up in a cellar and never
reveals. This explained why each wine is different and that if two
wines have same hue they MUST COME from the same farmer.
So the hue becomes a signature of the farmer. And that the farmer
hides the signature from everyone else. Like a family stamp.
An important distinction in this example is there is no way for the
collector to know "WHICH? farmer sent the wine. For example there is
no name, or address associated with that signature. Even if there were
it is quite possible that another wine farmer could send by copying
that address. The collector will then assume that these two wine
caskets that came to her with the same address but clearly has two
different hues, that there are two farmers at the same address with
the same name but never the same wine.
*******************************************
Where do they differ from real signatures
*******************************************
When I or you sign a document and send it to say to IRS, IRS assumes
that you are sending the right information such as phone and address
and Social. If two applications are received with the social but
signatures are distinct IRS will have to verify your signature with
the card that THEY issued.
Same thing with banks. The banks have your signature to verify.
In cases where they don?t preregister your signature they will have to
come to you as after the fact and verify the signature later.
It is also reasonable to assume that occasionally physical signatures
can be forged. It is far far far harder to crack the digital
encryption.
*******************************************
What is a good pattern for understanding signed jar files
*******************************************
So when someone says that they signed a jar file, it means that this
jar file is uniquely colored and can be distinguished from other set
of jar files UNIQUELY. However there is no way to identify the source
developer or company with authenticity.
Such jar files are called self signed jar files.
To know the "SOURCE?, what you have to do is, have a third party
company that the wine collector trusts tell us that the "color-red?
comes from "Company1?. Now every time we see "color-red? then we know
that it is from "Company1?. These are called third party signed jar
files. These are useful in your browsers to tell you that you are
downloading a file from company 1.
*******************************************
So how does one digitally sign?
*******************************************
The above semantics or understanding is technically implemented
through what is called a Public/Private Key encryption. Mathematics
has the ability (with great probability) to generate two numbers where
by if you encode with the first number (private) then only the second
number (public) can decrypt it. These keys are asymmetric. Even if
everyone knows the public key there is NO way they can encrypt a
message that the Public key can decrypt. Only its matching private key
can do that.
So in essence when the wine farmer creates a code for his casket using
the private key, she writes down the public key name on top of the
casket and also the secret code on the casket. When the wine collector
takes that public key and unravels the secret code, if she is
successful then she knows that the "public? key is correct and the
message is only encrypted by the farmer who wrote the public key.
*******************************************
There are two tools available in the java tool kit that helps with this:
*******************************************
The first one "keytool? generates the public/private keys given a password.
The second tool called "jarsigner? creates the secret code using the
private key and the jar file data itself. This additional step of
including the jar file contents enables the jar file being untampered.
*******************************************
Another example to solidify the signature understanding
*******************************************
When you visit a foreign land, you turn on the radio, and you hear
many different songs. You can tell there are different singers and you
can identify each separately but not know who they are or know their
names. This is also self signing. When a friend of yours tells you a
singer and associates to a voice you have heard that is third party
signing.
Again one can imitate another singers voice to confuse or lull the
listener to incompetence where as it is far far far harder to emulate
a digital signature.
*******************************************
References
*******************************************
1. Signing android applications
http://developer.android.com/guide/publishing/app-signing.html
2. My notes on understanding android apk files
http://www.satyakomatineni.com/akc/display?url=DisplayNoteIMPURL&reportId=3279&downerUserId=satya
3. A greate read from Sun on keytool and signing
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment