Re: Availability of a Signed Version of postgresql.jar

For "Trusted Java applications" and "J2EE Client applications"  , any jar deployed with (or part of)  the application must be signed.

For JavaWebStart applications , if you need to deploy the postgresql.jar as a component of the application , then must be signed, otherwise all the application is considered "Not trusted".

Of course , anyone can  sign postgresql.jar with their own  certificate (or self signed certificate),  but how in JavaWebStart the certificate is presented to the user for acceptance , will be better if the certificate belong to the official organization.

If the development group don't have a real certificate , since the development group is a non-profit organization, I think that Verising or any other certification authority can donate one.


Kris Jurka wrote:

On Thu, 8 Jul 2004, Dario V. Fassi wrote:
 

It's available a  Signed Version of   postgresql.jar  ?
   

No, but why would you want one?  As I understand it signed jar files are 
only useful in a sandboxed environment where access to protected resources 
is desired.  The postgresql jar file itself is useless without an 
application calling it so the application should include the 
postgresql.jar file and be signed, not the pg jar file.

Further as the driver is maintained by unrelated volunteers there are 
problems because no one individual is in charge of producing the jar 
files and there is no certificate chain available from someone like 
Verisign.

Kris Jurka

 

    Dario V. Fassi

SISTEMATICA ingenieria de software  srl
Ituzaingo 1628  (2000)  Rosario, Santa Fe, Argentina.
Tel / Fax:  +54 (341) 485.1432 / 485.1353