为什么要签署我的 JAR 文件? [英] Why should I sign my JAR files?
问题描述
为什么要签署我的 JAR 文件?
Why should I sign my JAR files?
我知道我需要对我的客户端 JAR 文件(包含小程序)进行签名,以便可以完成诸如文件系统访问之类的特殊操作,并且不会显示 Windows 底部令人讨厌的部分,但为什么呢??我是否需要对包含 Servlet 等的服务器端 JAR 文件进行签名?
I know that I need to sign my client-side JAR files (containing Applets) so that special things like filesystem access can be done, and so that the annoying bit at the bottom of windows doesn't show, but why else? And do I need to sign my server-side JAR files containing Servlets, etc.?
关于何时和何时不签署 JAR 的一些基本规则将不胜感激 - 谢谢!
Some basic rules for when and when not to sign JARs would be appreciated - thanks!
推荐答案
简短的回答 - 不要,除非您的公司政策强迫您这样做.
The short answer - don't, unless your company policy forces you to.
长答案
签署 jars 有效地告诉您的客户这是我做的,我保证它不会弄乱您的系统.如果是这样,来找我报复".这就是为什么从远程服务器(applet/webstart)部署的客户端解决方案中的签名 jar 比未签名的解决方案享有更高的权限.
The long answer
Signing jars is effectively telling your customer "I made this, and I guarantee it won't mess up your system. If it does, come to me for retribution". This is why signed jars in client-side solution deployed from remote servers (applets / webstart) enjoy higher privileges than non-signed solutions do.
在服务器端解决方案中,您不必满足 JVM 安全需求,这种保证只是为了让您的客户高枕无忧.
签名 jar 的坏处是它们的加载速度比未签名 jar 慢.慢多少?它受 CPU 限制,但我注意到加载时间增加了 100% 以上.此外,补丁更难(您必须对 jar 重新签名),类补丁是不可能的(单个包中的所有类必须具有相同的签名源)并且拆分 jar 成为一件苦差事.更不用说您的构建过程更长了,正确的证书也需要花钱(自签名几乎没用).
On server-side solutions, where you don't have to to placate the JVM security demands, this guarantee is only for your customer peace of mind.
The bad thing about signed jars is that they load slower than unsigned jars. How much slower? it's CPU-bound, but I've noticed more than a 100% increase in loading time. Also, patches are harder (you have to re-sign the jar), class-patches are impossible (all classes in a single package must have the same signature source) and splitting jars becomes a chore. Not to mention your build process is longer, and that proper certificates cost money (self-signed is next to useless).
因此,除非您的公司政策强制您这样做,否则不要在服务器端对 jar 进行签名,并将常见的 jar 保持在签名和非签名版本中(签名转到客户端部署,未签名转到服务器-端代码库).
So, unless your company policy forces you to, don't sign jars on the server side, and keep common jars in signed and non-signed versions (signed go to the client-side deployment, non-signed go to server-side codebase).
这篇关于为什么要签署我的 JAR 文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
