I have a question :
- Why do I need to sign a
.JARusingjarsigner? - is there a specific reason or use of that ?
- Same question when I tag a version on github ?
4
If you sign a JAR with your private key, you can guarantee that it comes form you — same with a commit tag. The way this works is that you have a pair of keys: public and private. These keys decrypt each other. If you sign your jar with your private keys, others can decrypt the signature with your public key and since, presumably, no one has your private key, they can be pretty sure it comes from you.
Now, there is an ever cooler layer which you may or may not be interested in. Say you want to guarantee that your jar can only be used by the person you intend it for. You can first sign the jar with your private key, so that they know it’s from you, then encrypt (different form signing) the jar (or message — the more common use case for this is an email) with their public key. Now, only the person you intend the message for can decrypt it since only they have access to their private key.
This is how public/private key encryption works.
Why is this important? Some services, take the Android Play Store for example, require you to sign your jar (apk) before submitting it to add a layer of security. In the case of jars and commit messages, the code you are signing is not actually encrypted as would be the case if you’re trying to send a private email or packaging an iOS app. You are simply adding a virtual signature to your work generated by hashing the input jar or commit message/digest and encrypting that with your private key. Thus, no one else can generate the same signature as you (save in the extremely unlikely event of a collision).
By attaching your signature to the code, you are saying that you are responsible for it. If I somehow got a hold of the Facebook developer account for the Play Store, I can’t just upload a new Facebook app update that sends me 100s of millions of users’ information because I would be unable forge Facebook’s signature without their heavily protected private key. It’s the same idea for commit messages. You are keeping a record of who does what. You can hold people responsible and on top of that prevent unauthorized people from committing code.
4