Java Tool Extensions for Supporting Multiple Recommenders and Distributed Bundles

A JAR (Java Archive) is typically used to incorporate code and associated resources into one file to distribute Java software. A cryptographically signed JAR file provides assurance about the authorship of the contents of the archive. We use Signed JAR files as part of a recommendation system. In this system different recommenders will evaluate the same software, and they need to sign the exact same JAR file. The user wants to verify that recommendations (i.e., signatures) received independently from multiple parties, e.g., for a software update, pertain to the exact same software. Related problems occur when users try to sign bundles consisting of files maintained on different servers. The tools in the Java Development Kit do not support this kind of application. We propose techniques to enable the signing of distribute bundles and techniques by which recommenders can sign software independently and such that verifiers are enabled to combine the recommendations. There changes to the Java jarsigner tool would avoid special purpose code which duplicates many of the same capabilities of the existing tools.