All,
I need to digitally sign a zip file. I am not sure how to do that. What does the digital signature do for me? And just as importantly, how do i verify the digital signature?
You can get a great reading on JAR signing (http://www.cs.princeton.edu/introcs/85application/jar/sign.html) and having in mind that JAR is a ZIP with a MANIFEST, I'd say you go with JAR signing and that's it.
Recent versions of APPNOTE (this is where PKWare publishes ZIP format specification) describe digital signature of ZIP archives. The problem is that they don't let one implement signing functionality and reserve it for their own use in their SecureZip software. From legal point of view you are allowed only to perform validation of ZIP archive signatures.
Our SecureBlackbox component library includes ZIP processing components, which include, among many other functions, validation of ZIP archive signatures. We attempted to acquire a license from PKWare to perform signing as well, but they didn't even discuss such option internally, so they were not able to give us a definite answer.
Related
I'm using Qt Installer Framework to install my Linux app in several OS like Redhat/Centos and Ubuntu. It works nice but for compliance reasons I have to add a step where the user is mandated to enter a key that will be stored with the application binaries. This encrypted text key will unlock features in the given application.
I'm not looking for a hacker-proof solution, just something that I can legally claim the user had to do in order to install the binaries. This is to protect us in court, so the client does not claim they just downloaded the software from the internet and run. We have to say that the only way they were using the application is by either tampering with the installer, copying from another client (which is illegal) or actually agreeing with the EULA conditions.
The way that currently is, the binaries are stored with vanilla compression (7zip) in the web server (I only allow online installer) and anyone can download and unpack the 7zip container thus creating a legal breach.
There's an option in the package to display a License Agreement prior to installing the binaries. It is mandatory to accept the term before you can proceed.
Wouldn't that be enough for your use-case ?
You can have a look at the official Qt IFW Documentation to have a look at the "Licenses" xml element or directly into the translation example.
Regards
I'm planning to use JXCore for two reasons.
to make an executable file with no dependencies for my Node.js project
to protect my javascript source code
First purpose is worked fine, but I can't ensure second thing.
Is it secure from Reverse Engineering if I use JXCore for my project and make a executable file?
Can someone read my source code(javascript) if he broke my executable file?
Thank you for reading.
JXcore is an open source project, so it cannot guarantee source code protection. The source files are not really kept encrypted inside the exe file (native package) - they are only compressed. The packaging algorithm is visible from the source code so people may look into it. Nevertheless it may not be a straightforward task, so probably not anyone can do it. But still, although I haven't see any extracting tools as of yet, it doesn't mean that they will not arrive at some point.
But you may consider adding an extra difficulty layer and obfuscate your javascript files before creating your exe.
first things first , i have seen nwsnapshot. and its not helping.
i am building an inventory management system as a desktop app using node-webkit . the project being built is using compoundjs (mvc javascript library). which have a definite folder structure (you know mvc) and multiple javascript files inside them.
the problem is nwsnapshot allows the app to have only a single snapshot file but the logic of application is spread over all the folders in different javascript files.
so how do i secure my source code before shipping it to client? Or any other work-around Or smarter way (yes, i know about obfuscating).
You can use nodewebkit command called nwsnapshot to compile the javascript code into binary which will be loaded into the app without specifying any js file
nwsnapshot --extra-code application.js application.bin
in your package.json add this:
snapshot: 'application.bin'
It really depends on what you mean by "secure".
You can obfuscate your javascript code fairly well (as well as potentially improve performance) by using the Google Closure Compiler.
I'm not aware of any off-the-shelf solutions to encrypt/decrypt your javascript, and honestly I would question the need for that.
Some people think they need to make it impossible to view their source code, because they're used to dealing with compiled languages where you only ship binaries to users. The fact is, reverse-engineering that binary code was never as difficult as some people think it is, so if there's any financial incentive, there is practically no difference between shipping source code and the traditional shipping of binaries.
Some languages have offered genuine encryption of deployed assets, such as Microsoft's SLPS. It seems to me that the market for this was so small that Microsoft gave it to a partner (just my view). The truth is that most customers are not interested in taking your source code; they're far more interested in your ability to service and support that code in an efficient manner, while they get on with their job.
You may consider to merge the JS files into one in the build process and compile it.
I have a PGPPublicKey object. I want to get a list of all signatures(with UserId, email Id, trust level for each singature) associated with it using Bouncy Castle API. I tried but couldn't get it. If anyone has an example link or knows which method to use to get it, please let me know.
I've never used these classes but I thought it might be helpful to post some resources.
It looks like the Bouncy Castle OpenPGP releases include some examples.
I recommend using these examples to solve your problem. Specifically, it looks like you will need to use PGPSignatureList and PGPSignature classes which are utilized in the examples. However, I don't see emailId in any of the classes.
SignedFileProcessor.java: A simple utility class that signs and verifies files.
DetachedSignatureProcessor.java: A simple utility class that creates seperate signatures for files and verifies them.
Also, http://www.bouncycastle.org/documentation.html suggests the following.
Finally there are also code examples from Beginning Cryptography with Java which demonstrate both the use of the JCE/JCA and also some of the Bouncy Castle APIs such as for certificate generation, CMS and S/MIME. Note: the book was written to cover J2SE 5.0, while many of the examples will work with earlier JDKs, some will not compile if you are not using J2SE 5.0 or later.
Probably is a straight-forward question: do you know any tools for combining multiple wsdl + xsd files into a single wsdl?
Thank you.
Edit1:
The service is a WCF service, and I want to have a single wsdl for PHP (as client).
Edit2:
Too bad I need to use .Net 4.0 and not 4.5 where this would be possible. Maybe I could borrow then one of the new MS tools? Do you know which one? Is the svcutil.exe the responsible tool? If yes, what are his dependencies? Because I don't want to jump to .Net 4.5 just yet.
You can build a small application that can generate a flat wsdl. We do generate flat wsdl programatically in C# for building interoperable WCF services. Refer to the link on how to generate flat wsdl.
Hopefully seeing the code you can build a tool that does it for you.
Else you can manually do it using Altova Xml Spy and replacing the xsd import attributes by the xsd schema definition.
For sure, I can recommend a tool that can combine multiple XSD files into the minimum set possible (I am biased here, since I wrote it). This in itself can be a heavy task, if you have a large number of files, many namespaces, or both. The things might get trickier for multiple WSDLs into one, depending on some parameters you may have configure; for example, is it logically one WSDL authored over three layers that maintains separation of messages - portTypes - services, or multiple WSDLs, period? One thing you must ensure is that all share the same types subsystem, there's no conflict for operations, etc. But even this is a task that could be achieved, I could easily put an addon out... If this is refactoring of XML Schemas and WSDLs you see doing often, let me know.
We wanted one wsdl file to make use of some tools to automatically generate soap proxy on PHP side. But we ended up writing the DTO layer manually.
If you have wcf service in .NET 4.5 you can get easily only one wsdl file (inbuilt feature of WCF framework).