我为什么要签署我的JAR文件？ [英] Why should I sign my JAR files?

问题描述

为什么要签署我的JAR文件？

Why should I sign my JAR files?

我知道我需要签署我的客户端JAR文件（包含Applet）以便特殊的东西，比如文件系统访问可以做到，所以窗口底部的烦人的位没有显示，但为什么呢？我是否需要签署包含Servlet等的服务器端JAR文件？

I know that I need to sign my client-side JAR files (containing Applets) so that special things like filesystem access can be done, and so that the annoying bit at the bottom of windows doesn't show, but why else? And do I need to sign my server-side JAR files containing Servlets, etc.?

有关何时何何不签署JAR的一些基本规则将不胜感激 - 谢谢！

Some basic rules for when and when not to sign JARs would be appreciated - thanks!

推荐答案

简短的回答 - 不要，除非你的公司政策强迫你。

The short answer - don't, unless your company policy forces you to.

长答案

签名罐子有效地告诉你的客户我做了这个，我保证它不会弄乱你的系统。如果是这样的话，来找我报复 。这就是为什么从远程服务器（applets / webstart）部署的客户端解决方案中的签名jar比非签名解决方案享有更高的权限。

The long answer
Signing jars is effectively telling your customer "I made this, and I guarantee it won't mess up your system. If it does, come to me for retribution". This is why signed jars in client-side solution deployed from remote servers (applets / webstart) enjoy higher privileges than non-signed solutions do.

在服务器端解决方案中，在这里您不必安抚JVM安全需求，这种保证只会让您的客户高枕无忧。

签名罐子的坏处是它们的加载速度比无符号罐子慢。慢多少？它受CPU限制，但我注意到加载时间增加了100％以上。此外，补丁更难（你必须重新签署jar），类补丁是不可能的（单个包中的所有类必须具有相同的签名源）并且拆分jar变成一件苦差事。更不用说你的构建过程更长，并且正确的证书需要花钱（自签名是无用的）。

On server-side solutions, where you don't have to to placate the JVM security demands, this guarantee is only for your customer peace of mind.
The bad thing about signed jars is that they load slower than unsigned jars. How much slower? it's CPU-bound, but I've noticed more than a 100% increase in loading time. Also, patches are harder (you have to re-sign the jar), class-patches are impossible (all classes in a single package must have the same signature source) and splitting jars becomes a chore. Not to mention your build process is longer, and that proper certificates cost money (self-signed is next to useless).

因此，除非你的公司政策强迫你，不要在服务器端签名jar，并将常见的jar保留在签名和非签名版本中（签名转到客户端部署，非签名转到服务器端代码库）。

So, unless your company policy forces you to, don't sign jars on the server side, and keep common jars in signed and non-signed versions (signed go to the client-side deployment, non-signed go to server-side codebase).

这篇关于我为什么要签署我的JAR文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！