Code is usually signed when because it requires more than the default set of permissions elevated privileges to perform some tasks. Although it is often a bad idea to sign code (see ENV00-J. Do not sign code that performs only unprivileged operations), some actions require this. For example, if an application requires an HTTP connection with an external host to download plugins or extensions, its vendor may provide signed code rather than requiring that the user deal with complex security policies. Because executing signed code can be extremely dangerous, verifying the authenticity of its origin is of utmost importance.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="381e3ce2907746c9-51832ac3-4e844bd0-a99d9cda-0c6d0a3eff13254efeda4106"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Improperly Verified Signature [XZR]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE ID 300, "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')" | ||||
| CWE ID 319, "Cleartext Transmission of Sensitive Information" | |||
| CWE ID 494, "Download of Code Without Integrity Check" | |||
| CWE ID 347, "Improper Verification of Cryptographic Signature" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3ca8012e450c59c7-627290a2-40cb42f5-b02a8f08-9c83b29d0bd2d0746b40a907"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4102a9ba817639d1-83dbe87c-4abc4225-bf0a9d74-ad0239f05d6726f22af10c4c"><ac:plain-text-body><![CDATA[ | [[Bea 2008 | AA. Bibliography#Bea 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="82cac5c0b7c44cc2-796ecb25-43044131-9e729736-835ac46083eadc570117bb1e"><ac:plain-text-body><![CDATA[ | [[Eclipse 2008 | AA. Bibliography#Eclipse 08]] | [JAR Signing | http://wiki.eclipse.org/JAR_Signing] and [Signed bundles and protecting against malicious code | http://help.eclipse.org/stable/index.jsp?topic=/org.eclipse.platform.doc.isv/guide] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7830433aad38d711-3df082fb-496a4774-a497955d-4629a7c35cb5be37c23f9037"><ac:plain-text-body><![CDATA[ | [[Fairbanks 07 | AA. Bibliography#Fairbanks 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5c12cfa9fa808e46-bd82a707-4ca344d2-9c579be9-c4d715d1d6d177e6018e7437"><ac:plain-text-body><![CDATA[ | [[Flanagan 2005 | AA. Bibliography#Flanagan 05]] | Chapter 24. The java.util.jar Package | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7c1af835cc97e532-3873752d-4ff44580-bf138b9d-dd2c12ac536977373146976f"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 12.8.3 jarsigner | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="564e6e4ea26c91ca-2f24b8ed-4ed94922-8815873f-5f2fa33e115528ea231001cc"><ac:plain-text-body><![CDATA[ | [[Halloway 2001 | AA. Bibliography#Halloway 01]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="42f3275c2dc02726-bb9de5c7-4ff447d1-9047a04b-d5447cd14c56273792e5bac1"><ac:plain-text-body><![CDATA[ | [[JarSpec 2008 | AA. Bibliography#JarSpec 08]] | Signature Validation |
| ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="96a3b7511f9db7c2-bb199a26-499f4c4c-a038b173-352600119ff70a6066bf33a0"><ac:plain-text-body><![CDATA[ | [[Oaks 2001 | AA. Bibliography#Oaks 01]] | Chapter 12: Digital Signatures, Signed Classes | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0544c32f4be169f6-a4ad7f21-47334d60-89c9b735-a36f91109ee90880b61ed517"><ac:plain-text-body><![CDATA[ | [[Muchow 2001 | AA. Bibliography#Muchow 01]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c549cf8648a99e37-b87e00a7-4b5e4aaa-b8e4bd2d-429239d7221b86c014863433"><ac:plain-text-body><![CDATA[ | [[Tutorials 2008 | AA. Bibliography#Tutorials 08]] | [The JarRunner Class | http://java.sun.com/docs/books/tutorial/deployment/jar/jarrunner.html], [Lesson: API and Tools Use for Secure Code and File Exchanges | http://java.sun.com/docs/books/tutorial/security/sigcert/index.html] and [Verifying Signed JAR Files | http://java.sun.com/docs/books/tutorial/deployment/jar/verify.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...