Date: Fri, 31 Jan 1997 11:51:18 -0800
Message-Id: <199701311951.LAA17223@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: dzhang@trcinc.com
Subject: Re: help
> Based on my reading, you need the public key of the author to verify the
> document, am I right? If this is true, then I need to provide Jar the
> public key.
This is correct. You need to
a) generate a public and private key pair for the signer
b) generate a certificate for the signer
c) use javakey and its access to the signer's private key
to sign the file
d) distribute the certificate of the signer to the people
who will try to use your signed JAR archive
(this is separate from distributing the signed archive
itself)
You don't provide jar with the public key, however. What you need to
do is import the certificate of the signer into the identity database
on the client system.
That is, suppose the client wants to read your signed JAR archive and
verify the signature. You need to send him the certificate
containing the public key. *he* needs to import that certificate
into his identity database. The steps for doing this are as follows.
Suppose the nickname for the identity is "dzhang", and that you mailed
him your certificate, and he saved it in a file named /tmp/dzhang.x509
% javakey -c dzhang true
% javakey -ic dzhang /tmp/dzhang.x509
Marianne
p.s. Please refer to these documents
Using Javakey -- http://java.sun.com/security/usingJavakey.html
Policy Recommendations - http://java.sun.com/security/policy.html
and our hypermail archive
http://jeeves.javasoft.com:8080/hypermail/java-security-html/