Pitfalls of verifying signed jar files

In the Java world, it’s possible to digitally sign a jar file using ‘keytool’ to generate or import a digital signature, and ‘jarsigner’ to do the signing. What isn’t so obvious is that when we use ‘jarsigner’ to verify a signed jar, it doesn’t verify that we trust the signature that signed the file. It simply tells us whether the contents were signed by a public key that was included with the jar file.

Surprisingly, there’s no option to tell jarsigner to check for trusted signatures.

In code, we can use java.util.jar.JarFile to check the validity of a jar file. By default, the constructor to JarFile says we want to check the validity. Code must then iterate through each entry in the JarFile and seek to the end of each input stream, otherwise, the integrity isn’t checked. In other words, the java.util.jar.JarFile doesn’t give us the integrity checking with a simple method call such as isValid(), and it doesn’t give us an easy way to check that we trust the signature that the entries were signed with.

Anyone, anywhere, can create their own certificate, and sign a jar file — so if we want to establish trust for a signed jar, we get to do extra work. On stackoverflow.com, Jarek Przygódzki linked to code that shows how to check for trusted signatures.

I wonder why establishing trust for a signed jar isn’t easier. Could it be that signed jar files originated in the bygone era when we ran Java applets in our web browsers? Did web browsers use their certificate authority database to verify some level of trust for the signature contained in a jar file?

Verifying trust is a delicate issue, as demonstrated by the recently hacked certificate authorities including Diginotar and Comodo. Perhaps it’s a good thing that Java’s libraries and command line tools don’t make it deceptively simple to check jar files based on certificates trusted by Certificate Authorities.

Still, I wish the documentation for jarsigner and JarFile would shed more light on the limits of their default verification. I’d call it “hash checking” or “integrity checking based on hashing”.

 

Easy updates with iOS and Linux vs bomardment from Windows

When I want to check email on my iPod Touch, I simply unlock it, load the email application, and read messages. What a joy. The tool works and works for me. It is my servant, instead of me being its servant.

Compare that to my corporate Windows Laptop. I open the lid and unlock it, wait for corporate anti-virus (I think) to chew through the I/O on my machine for several minutes. Then I can read my email using the unimpressive and slow Lotus Notes (I’d rather be using Thunderbird, Outlook, or speedy mutt).

Or compare to my home Windows Laptop. I open the lid, log in, and am bombarded with requests from several programs to install updates. I just want to check my email, not be attacked with annoying “update me!” windows. I see one from Thunderbird, another from Adobe Flash, another from Mozy and another from Firefox. By the time I’ve upgraded, sometimes I’ve forgotten what I wanted to accomplish in the first place.

Apple has it right with updates for the iPod Touch: They stay out of my way until I want to bother with them, and then they’re all manged together.

Linux has it right: A single package manager updates everything, in one shot, including from third parties.

I’ll continue to use Windows. There are other benefits, even though third-party updates are annoying.

The dog ate my grub.conf; unwanted LVM indirection

In September, I updated packages on my Fedora 14 machine using ‘yum’ (Yellowdog Updater Modified), and rebooted. I was greeted with an unfriendly grub prompt. Boot was broken, and I didn’t know why.

Normally when I want to rescue a Linux system, I use the Fedora install DVD’s rescue mode. Unfortunately, my DVD drive stopped working just after the warranty expired. So I booted using a Linux-on-a-USB image that I carry around with me.

I planned on replicating the rescue mode experience by manually mounting the partitions in /mnt/sysimage, then chroot, and then run ‘grub-install’ to fix things. And that’s what I did, except for a few snags.

The first snag is that I had installed Fedora with default partitioning options (something I rarely do), and it had helpfully used LVM to configure my disk drive. LVM adds a layer of indirection, so I had to figure out how to mount an LVM volume instead of a disk partition. As a general rule, I never use LVM on desktop or laptop machines because I don’t like the additional complexity, especially when I’m trying to mount a drive to recover data.

The next snag is that Linux uses UUIDs for hard disks these days, instead of helpful, human-readable labels. In the good old days, Linux distributions would label the root partition, the home partition, and others. But not when I let the installer work its default magic. So, I had to figure out which volume contained my root partition, my boot partition, and so forth.

Once I mounted my partitions properly, I was ready to “chroot /mnt/sysimage”, and after I did, I ran “grub-install”. No luck. This was the third snag.

I realized that /boot/grub/grub.conf was empty. And grub-install doesn’t fix the problem — it can’t populate information that is completely missing, like knowing what disk UUID to use for the root partition.

“No problem,” I thought, “I’ll just restore from backup…”. Except, I didn’t have a backup. As a general rule, I back up /var, /home and /etc, but not /boot. Now I know better.

Surely, I thought, there should be a copy of grub.conf that the package updates had left around. But there wasn’t.

Such a critical file, and there was no automated backup. No “restore point”. No way to recreate it from data in /etc. What an oversight!

This is the first time I can remember having had an update eat my grub.conf file, and I’ve been running Linux since before distributions switched to grub as a boot loader. On the other hand, maybe I jumped to to an incorrect conclusion — it’s possible that the updates didn’t eat my grub.conf. Regardless, grub.conf was empty and my system wouldn’t boot.

It seems to me that something this important should have been designed with more resilence.

There were two ways to fix it, as far as I could see. One is upgrade from Fedora 14 to Fedora 14 (thus preserving my data). The second is to recreate grub.conf by hand, and for that, I needed an example — a template. I used the one at http://forums.fedoraforum.org/showthread.php?t=227358. My boot up screen isn’t as pretty as it once was, but it is functional.

Lastly, I made copy of /boot/grub/grub.conf. Now where did I put it?…

Technology and greatness

I like this quote: No technology, no matter how amazing… can by itself ignite a shift from good to great…. No technology can turn the wrong people into the right people. No technology can instill the discipline to confront brutal facts of reality, nor can it instill unwavering faith. No technology can supplant the need for deep understanding…. No technology can create a culture of discipline. — Jim Collins, Good to Great, p 161.

Hazards of Best Practices

“Best practices are a hazard because they ask us to substitute slogans for thinking.” — Pete McBreen, p. 125 Software Craftmanship.

Sometimes best practices are used to shift blame by using the bandwagon fallacy: “Everyone else is doing it — it’s a best practice, so don’t blame me”. Sure, there’s strength in numbers, but not necessarily wisdom in numbers.

ORM Solutions for C++ and sqlite: hiberlite, SOCI

I think SQLite is a great database for a C/C++ application to use. It sure is easy to query the data that way, without intrinsic support from the application. When the application changes, the database is still accessible via standard sqlite clients. Yet using SQLite in an application can require a lot of repetitive code to serialize objects to and from the database, so I wondered if there are ORM solutions for C/C++. It turns out that there are. I only had to turn to stackoverflow.com to find the following (among many):

  1. Hiberlite
  2. SOCI

NPR: When Patents Attack!

I write software for a living, and I have a hard time recognizing redeeming value of software patents (other than to have something to negotiate with when someone tries to sue a company). Reading the NPR transcript about patents got my blood boiling. The system has been gamed, and patent troll companies legally extort money from other companies.

Read or listen here. Are there good reasons to have software patents, and if so, on what types of inventions and in what circumstances?

Norton 360: Unbearably slow

I’ve got a Windows Vista laptop that’s about five years old. It’s a dual CPU machine with 2G of RAM. After installing several bits of new software, I noticed that it was unbearably slow when logging in, switching users, and logging out. The CPU use wasn’t too high, but the disk drive light indicated that it was being kept very busy. I booted Fedora 14 Live from a USB drive, and the computer was snappy and responsive.

I monitored the system processes, and most of the I/O reads and writes were attributed to svchost. On a Linux or UNIX machine, it would have been easy to identify which service was the culprit because each service (known as a daemon) runs as a separate process. But in Windows, services run as part of svchost, making them hard to identify and monitor individually.

Since I didn’t know what was causing the slowness, I guessed and uninstalled Mozy backup. Nope. That wasn’t it. My computer was still slow. So I uninstalled Norton 360. Problem solved. The computer is responsive and snappy again, and has remained so for the past month.

Shortly after I uninstalled Norton 360, a neighbour called and asked if I could figure out why “the Internet was running so slowly”. He thought he had Windows 7. When I arrived, I found that it was Windows XP running in 512M of RAM. I booted Fedora 14 from my USB flash drive, and found that his computer ran quickly and loaded web pages quickly. His Windows XP machine was running Norton 360, and task manager showed that Norton processes were consuming large amounts of disk I/O.

I uninstalled Norton 360, and on the recommendation of a smart colleague, installed the free Microsoft Security Essentials. The computer ran quickly after that. My neighbour is pleased. I went home and installed Security Essentials on my Vista machine, with little noticeable slowdown.

My conclusion is that Norton 360 may only be appropriate for newer hardware and generous amounts of RAM (4G or more).

Gnome 3: Not quite ready for prime time

Just over a week ago, I installed Fedora 15. After using Gnome 3 for two days, I decided that I’m better off using Gnome 2, KDE or XFCE.

With Gnome 3, I like the ability to type the name of the application I want to run instead of hunting for it in a menu. This is a feature I’ve enjoyed for the past five years with Windows Vista, so it’s refreshing to finally have it appear in Gnome.

With Gnome 3, however, I miss the following:

  1. A system monitor applet. When my system starts to feel slow, I pay attention to CPU and I/O wait overhead.
  2. Multi-monitor support when changing workspaces. When I move to a new workspace, Gnome 3 only moves one of my two screens to a new workspace. The other stays the same.
  3. Quick launch icons. I use them for Firefox, gVim, Eclipse, and other frequently used apps.

I expect that Gnome 3 will be improved rapidly, and Fedora 16’s Gnome 3 will more productive.

Update: There’s a list of ways to tweak Gnome shell to make it almost bearable: http://forums.fedoraforum.org/showthread.php?t=263006. In particular, by installing and using “gnome-tweak-tool”.

Misc Linux things: PATA or SATA, mutt and mailcap, tarsnap backup

The other day, I wondered whether the drive in my laptop was PATA or SATA. Fortunately, I didn’t have to tear it apart to find out. I simply wandered over to stackexchange.com and asked the question. Here’s the answer:

lspci -d $(cat /sys/block/sda/device/../../../vendor):$(cat /sys/block/sda/device/../../../device)
readlink -f /sys/block/sda/device/../../../driver

I’m a long time user of the mutt email client (as well as Thunderbird). At some point, viewing the HTML attachment (with the ‘v’ key) stopped invoking ‘lynx’ via my mailcap file. It turns out that the developers of mutt added an internal viewer, and moved mailcap support to the “m” key. I took the time to switch from using ‘lynx’ to using ‘links’. Here’s the entry from my $HOME/.mailcap file:

text/html; /usr/bin/links -dump -force-html %s; copiousoutput; nametemplate=%s.html

I’ve been gradually looking for an online, off-site Linux backup tool for  the past few years. I tried spideroak, but wasn’t pleased with the giant log files it kept in my home directory, and it wasn’t designed to back up files outside of my user account. Lately, I stumbled on another promising tool: tarsnap. I haven’t tried it yet, but I will. Pricing looks reasonable, and since it “deduplicates” storage, it means that I shouldn’t be backing up the same thing repeatedly. Here’s how one person configures tarsnap to keep up to X daily backups, Y weekly, and Z monthly.