使用jar签名作为一种许可证密钥 [英] Using jar signing as a kind of license key
问题描述
Related to this question, can / should I use jar signing to create a tamper proof jar with information embedded for run-time enforcement of the number of users allowed to use the application? My idea is this:
- 使用单个类创建jar,其中该类包含可容纳正确数量用户的静态字段
- 签名jar并将其放置在Grails war lib文件夹中,这样在classpath上
- (假设,这是正确的吗?)我可以从grails应用程序访问签名的jar文件中的类中的静态字段,因为我知道该jar尚未被篡改(否则,将会引发异常),并且无需进行任何其他工作,例如接受"签名.
- Create jar with single class containing static field holding the right number of users
- Sign the jar and place in Grails war lib folder so on classpath
- (Assumption, is this correct?) I can access the the static field in the class in the signed jar file from my grails application safely knowing that the jar has not been tampered with (otherwise an exception will be thrown), and also without any extra work required like "accepting" the signature.
我的第3步假设是否正确?这是我尝试做的一个好方法吗?如果没有,什么是标准做法?
Is my step 3 assumption correct? Is this a good approach for what I am trying to do? If not, what is standard practice?
谢谢!
推荐答案
如果用户必须在坚持存在签名且可以正常工作的环境中运行它,则这只是防篡改".如果将jar交给可以在普通JVM中运行它的普通人(而不是作为applet,而不是作为webstart),他们可以自由地完全删除签名.如果要尝试停止此操作,则必须编写代码以调用Class.getSigners并在看不到自己的地方爆炸.因此,他们需要启动asm来写出不存在的检查单,并且他们会很好.
It's only 'tamper proof' if the user has to run it in some environment that insists that the signature is present and functional. If you hand a jar to an ordinary person who can run it in an ordinary JVM (not as an applet, not as a webstart), they are free to remove the signature altogether. If you want to try to stop this, you'd have to write code to call Class.getSigners and explode if you didn't see yourself. So, they'd need to fire up asm to write that check out of existence, and they'd be good to go.
Java代码签名允许某些容器从其来源验证jar文件是否保持完整性.它没有为您提供创建防篡改程序包的方法.
Java code signing allows some container to verify that a jar file maintains integrity from its source. It does not give you a means of creating a tamper-proof package.
这篇关于使用jar签名作为一种许可证密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
