[widgets] Jar signing vs. XML signatures

I noticed that widget packaging uses XML signatures (notorious for  
bugs in canonicalization/reserialization code) for signing zip files.  
However, signing zip files has been solved long ago for Java jar  
files. The mechanism or a variation of it is also used for Mozilla xpi  
files and ODF documents.

Wouldn't it be simpler to use jar signing instead of inventing a new  
way of signing zip files with implementation dependencies on XML  
signatures and spec dependencies on XSD? (Why does the spec have  
dependencies on XSD?)

Jar signing is pretty simple compared to XML canonicalization &  
reserialization. When you need to reserialize XML, you import all the  
troubles of serializing XML (see e.g. https://issues.apache.org/bugzilla/buglist.cgi?query_format=advanced&product=Security&component=Canonicalization&cmdtype=doit 
  ). The META-INF folder is ugly, but unsigned widgets could omit it,  
and it isn't much uglier than an XML signature file on the top level  
of the zip archive.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Tuesday, 14 April 2009 08:28:35 UTC