JavaFX Application - What needs to be signed?

Question

I'm deploying a JavaFX application and am not quite sure what does and doesn't need to be signed. Here are my thoughts:

- Installation file: This obviously needs to be signed.

- The EXE that launches the application: I believe this needs to be signed, although it feels a little bit funny because it isn't my code.

- My JAR files: I believe that these also need to be signed, although I'm not sure if anything terrible happens if I don't.

- Library JARs that I've grabbed off the internet: I don't feel like I should sign these. Is there any reason to?

- Java runtime: I'm guessing there's no reason to sign this, and I'd probably violate some agreement if I do.

- JNLP file: Not using this, no reason to touch this.

Have I looked at this properly? Am I signing the correct files?

Answer 1

A friend of mine has a saying " it's not what you did... it's what you can prove in court. "

With this respect, I advise you to look at this problem from a legal point of view and assume the worst possible context it can apply in; i.e. you becoming legally accountable after someone tampers with your software.

Digital signatures are designed especially for these types of problems.

With this respect, let's split your answer into 2 different classification parts:

1. the software you're releasing - includes your jars, jnlp, bundled .exes, etc.

   • all of these must be singed in order to ensure that you can't be affected by any unauthorized tempering with your own code. It doesn't matter whether or not you've released that jnlp. If someone generates an invasive one and it's traced back to you, your failure to authenticate your own released version of that jnlp will not be ok.

2. the software released by other people. - includes everything which you're using in order to get your system to work. (jre, libs)

   • when using something like this, it's a good idea to make sure you're using a genuine copy of whatever your lib manufacturer has released. Use their checksums/signatures/etc. to validate and verify their software integrity upon demand. You have to read their liability and disclaimer statements and in the event they fail to provide one themselves.

   • In general it is a good idea to place as little trust as possible when it comes to software sources other than yourself. Unfortunately, there are many compromised or malicious libs out there which are in fact security risks.

   • it is always a good idea to make sure you're releasing a downloaded lib which is certified by an external issuer and as such cannot be held responsible for any malicious code detected within.

To answer your question... it really depends on the client endpoint and the likelyhood of you getting sued for providing them with a security risk (i advise you to always expect this to be 100%). If you're liable for damages... you need to proceed accordingly.

In short... the best possible answer to this quesiton is to do whatever is possible to cover yourself in the event the worst happens.