Category: Programming

Posted on

Pitfalls of verifying signed jar files

In the Java world, it’s possible to digitally sign a jar file using ‘keytool’ to generate or import a digital signature, and ‘jarsigner’ to do the signing. What isn’t so obvious is that when we use ‘jarsigner’ to verify a signed jar, it doesn’t verify that we trust the signature that signed the file. It simply tells us whether the contents were signed by a public key that was included with the jar file.

Surprisingly, there’s no option to tell jarsigner to check for trusted signatures.

In code, we can use java.util.jar.JarFile to check the validity of a jar file. By default, the constructor to JarFile says we want to check the validity. Code must then iterate through each entry in the JarFile and seek to the end of each input stream, otherwise, the integrity isn’t checked. In other words, the java.util.jar.JarFile doesn’t give us the integrity checking with a simple method call such as isValid(), and it doesn’t give us an easy way to check that we trust the signature that the entries were signed with.

Anyone, anywhere, can create their own certificate, and sign a jar file — so if we want to establish trust for a signed jar, we get to do extra work. On stackoverflow.com, Jarek Przygódzki linked to code that shows how to check for trusted signatures.

I wonder why establishing trust for a signed jar isn’t easier. Could it be that signed jar files originated in the bygone era when we ran Java applets in our web browsers? Did web browsers use their certificate authority database to verify some level of trust for the signature contained in a jar file?

Verifying trust is a delicate issue, as demonstrated by the recently hacked certificate authorities including Diginotar and Comodo. Perhaps it’s a good thing that Java’s libraries and command line tools don’t make it deceptively simple to check jar files based on certificates trusted by Certificate Authorities.

Still, I wish the documentation for jarsigner and JarFile would shed more light on the limits of their default verification. I’d call it “hash checking” or “integrity checking based on hashing”.

 

Posted on

ORM Solutions for C++ and sqlite: hiberlite, SOCI

I think SQLite is a great database for a C/C++ application to use. It sure is easy to query the data that way, without intrinsic support from the application. When the application changes, the database is still accessible via standard sqlite clients. Yet using SQLite in an application can require a lot of repetitive code to serialize objects to and from the database, so I wondered if there are ORM solutions for C/C++. It turns out that there are. I only had to turn to stackoverflow.com to find the following (among many):

  1. Hiberlite
  2. SOCI
Posted on

Teriffic Linux Books

One of my QA coworkers had The Linux Phrasebook sitting on his desk. I noticed it was by Scott Granneman, and immediately thought, “if it’s by him, it’s got to be good.” As I thumbed through the pages of the book, I was impressed at the practical coverage of command line utilities including yum and rpm, apt and deb, etc. I highly recommend this book. It’s small so it’s easy to keep on hand.

For anyone wishing to write applications that take advantage of all that Linux has to offer, I recommend The Linux Programming Interface (also available from Amazon), aka TLPI. I used to recommend Stevens’ Advanced Programming in the UNIX Environment, but now I recommend TLPI because it is more comprehensive and just as readable. It’s not a small book, so a PDF makes it easier to keep on hand. I purchased my copy through the publisher, NoStarch with the coupon code “Mamaku” that gave me 30% off and a free PDF. The order total came to $80.00, including shipping.

Posted on

Awesome Linux profiling tools: top -H and pstack

When I needed to figure out where the performance bottlenecks were in some Linux software, I found helpful answers at http://stackoverflow.com in the form of two tools: 1. naming threads in combination with “top -Hp <pid>” and 2. “pstack <pid>”. The first was helpful in watching which threads were consuming the most CPU. The second was useful in sampling the application over time to find the hot spots and their stack traces.

  • How to name a thread in Linux (or a process) — use prctl().
  • How to use stack sampling to find performance problems — use pstack.
Posted on

Miscellaneous Linux tips and tricks

Gnome Key Bindings and IntelliJ IDEA

IntelliJ IDEA key bindings conflict with Gnome’s window manager. In IDEA, I can type CTRL-B to jump to a symbol definition. Normally, I’d type CTRL-ALT-LEFTARROW to navigate back to where I had come from. Gnome’s MetaCity intercepts that key mapping before IDEA sees it, and tries to move my desktop to the left. There are several other Gnome/Metacity key bindings that conflict with IntelliJ IDEA. Rather than remap the keys in Gnome, I found that on Fedora, I could add the Windows key to the mix, and Gnome would ignore it, and pass it along to IDEA. This means that I can type CTRL-ALT-WINDOWS-LEFTARROW to navigate backward, and so forth.

Unfortunately, this doesn’t work in RHEL 5 and CentOS 5. The solution is to Go to the Gnome menu bar and select System > Preferences > Keyboard (not Keyboard Shortcuts). Then select the “Layout Options” tab, and expand the “Alt/Win key behavior”. Then I select “Super is mapped to the Win-keys”.

Every time I log in after that, Gnome tells me that my X keyboard settings conflict with my Gnome Keyboard settings, and it asks which I want to use. Selecting the Gnome settings is what I want.

Bandwidth limiting downloads with ‘curl’ or ‘wget’

When downloading a large file, it’s nice to be polite to others on the network, so I use the --limit-rate option for curl and wget:

* curl -O --limit-rate 20k http://server.com/linux.iso
* wget --limit-rate=20k http://server.com/linux.iso

GDB TUI (text user interface)

After starting gdb, it’s possible to switch to its text user interface with CTRL-X, CTRL-A. Typing it a second time exits TUI mode.

Vim C++ Auto completion with ctags

I appreciate full blown IDEs in Linux, but I like the quick start up time of vim. Until recently though, I didn’t have C++ auto completion (also known as vim omni completion).

This got me up and running, and was a great resource:
http://vim.wikia.com/wiki/C%2B%2B_code_completion

This would have been useful if I was a new comer to vim and ctags:
http://www.justlinux.com/nhf/Programming/Introduction_to_C_Programming.html

xdg-open, gnome-open, start, cygstart

How to easily open files and URLs from the command line
http://www.dwheeler.com/essays/open-files-urls.html

  • Linux: xdg-open filename_or_URL
  • Linux: gnome-open filename_or_URL
  • Mac: open filename_or_URL
  • Windows: cmd /c start filename_or_URL
  • Cygwin: cygstart filename_or_URL

Nomachine NX and ALT-TAB

I use the Nomachine NX client from time to time to get a remote-desktop like connection to a remote Linux machine. It’s faster than VNC, but it suffers from not forwarding all of my keyboard shortcuts to the remote end of the connection.

Usually, I start the nxlcient from within a Gnome login session. Gnome happily grabs ALT-TAB before the NX client gets to see it. That’s not what I want. To work around this limitation, I log into a virtual terminal, and start X manually as follows:

Type CTRL-ALT-F2
Login
Run: startx -- :1 gnome-terminal

From the gnome-terminal, run: nxclient

And then I connect to the remote machine in full screen mode. There’s no local window manager to interfere with my keyboard shortcuts.

Remote desktop and dual screens

I’ve been using Remote Desktop to connect to Windows XP, Vista and 7 machines. Until Windows 7, there was no way for a local computer having dual monitors to connect and have the remote end display across both monitors.

So I used linux’s ‘rdesktop’ program to do it:

rdesktop -0 -a16 -f -rdisk:CLIENT=/home/jared/Desktop -r sound remote.host.com

I notice that in Windows 7, there are some new options in the Remote Desktop client (mstsc.exe): /multimon and /span. Or run mstsc /? to list all possible options.

Editing windows registry files on Linux

Use Gedit: gedit --encoding=UTF-16LE myfile.reg

Gvim: LANG=UTF-16LE gvim myfile.reg

If already in gvim: :e! ++enc=utf-16le
or :e ++enc=utf-16le myfile.reg

Convert, edit, convert:

iconv -f UTF-16LE -t utf-8 myfile.reg > myfile.reg.utf8

Edit myfile.reg.utf8, then convert it back

iconv -f utf-8 -t UTF-16LE myfile.reg.utf8 > myfile.reg


How Firefox opens files and mime types

I needed to give Firefox some extra help knowing how to open a custom file type with a custom application. Here’s some helpful information.

https://developer.mozilla.org/en/How_Mozilla_determines_MIME_Types

Firefox uses mime.types on Linux, as well as other things. I helped Firefox by the mime type to the link in the generated HTML file. Either one of the following seems to work:

* <a href=”file:subdir/file1.cst” type=”application/octet-stream”> open file </a>
* <a href=”file:subdir/file1.cst” type=”application/x-extension-cst”> open file </a>

Posted on

f-spot and sqlite

I recently tried using Linux [f-spot](http://f-spot.org/), with the intent to make it easier to browse, manipulate, manage and publish my photos. I wanted f-spot to manage my photo screen saver as well. f-spot seems to be good at importing photos, but getting photos removed is a bit more difficult.

I organize my photos by date an a directory structure such as “2010/2010.01.01 New Years Day”. The “2010” directory contains several sub directories. Each sub directory consists of a date and a description. If, for some reason, I import photos into f-spot that I don’t want in its database, I know what directory the photos pertain to. Unfortunately, F-spot doesn’t allow me to remove photos from its catalog by filename or file path. That’s okay though, because it stores its database using sqlite.

I figured this out by running lsof -p pid-of-f-spot, and noticed a file descriptor opened to “/home/jared/.config/f-spot/photos.db”. Then I ran file ~/.config/f-spot/photos.db and it helpfully told me that it is a “[SQLite](http://www.sqlite.org/) 3.x database”.

After a bit of google research, I figured out I could install a SQLite manager on my Fedora system: yum install -y sqliteman, followed by running sqliteman ~/.config/f-spot/photos.db. I was expecting to see a command-line client, but to my surprise, I found a pleasant graphical interface. It was simple to browse the table schema and to run queries to update and morph the f-spot photo database. Note: I’d recommend making a backup copy of the database before altering it.

F-spot may not be everything I want it to be, but I managed to work past its limitations due to the fact that it used a well known, open data storage format.

Posted on

Modern bug trackers

Five years ago, I started a new job and encountered the [JIRA](http://www.atlassian.com/software/jira/) bug tracking system, after having been subject to pathetic bug tracking systems at previous companies. JIRA knocked their socks off in terms of ease-of-use and multi-platform support (it runs in a web browser). I’ve been a pleased JIRA user ever since. Recently, I stumbled on this article about what’s new in some of the best quality bug tracking systems on the market.

> Bug (issue) tracking systems have become a standard tool for any organization that develops software and have evolved greatly in the last years. InfoQ has conducted a virtual panel with people from JIRA, FogBugz, Basecamp and MantisBT about this evolution and the future developments in this field.

The virtual panel discusses integration with IDEs, project planning, story-boarding, and social networking integration.

[Read more…](http://www.infoq.com/articles/bug-trackers)

Posted on

Best technologies and productivity

I tend to wonder about the “best” technologies for a given problem. Recently, I’ve wondered why Wicket is reportedly better than Java Server Faces (though I’m using neither). Perhaps it’s human nature to look for the Next Big Thing or for silver bullet solutions that supposedly increase productivity while offering robust features.

Here’s a [blog post](http://www.jroller.com/kenwdelong/entry/my_framework_is_more_productive) that ponders whether a new framework or a programming language can really offer better productivity benefits over an ocean full of alternatives. The author asserts that the real time cost on a project is not in writing code, but in the following activities:

– Communication
– Understanding preexisting code
– Debugging
– Refactoring

Tools or languages that make any of those activities easier are to be coveted. Java refactoring tools outshine those available for Grails. Java is easier to read and comprehend than terse bash scripting. Some frameworks/platforms make debugging easier than others.

Posted on

mwrc: Saturday evening Lightning Talks

Binary Lottery code — how he wrote the app.

Mhong – Event Machine. require ‘eventmachine’ module. `EM.run { block }` takes
over your ruby, and nothing after that block will be run.

There’s EM::PeriodicTimer and single-fire timers: `EM.add_timer(2) { block }`
To use EM in your web-app, `require ‘thin’` or spin up a new thread and use
`EM.run`. `EM.HttpRequest.new … EM.system () … { if status.exitstatus == 0
… end }`. Message queues, etc. Looks cool.

Dana Gray – regular expressions. “it’s been two days since my last regular
expression”. She went over the basics of regular expression string matches. How
to match word chars, positional anchors, capturing and non-capturing
parenthesis, grouping, character classes. Don’t fear regex, embrace regex.

Jake Cahoon from the Utah Valley Ruby Users Group. He used a slightly
monkey-patched ‘feedzirra’ module to pull tweets using Ruby code. Finshed
writing the code at 2 A.M. this morning. Now it pulls tweets and puts them into
IRC. His code is on http://pastie.org

MerbCamp videos from last year are online. How to do Rack testing. with require
‘rackbox/spec’. He wrote three apps that echo text in three different
frameworks (sinatra, merb, rails), and showed the tests running against each.
All in five minutes.

Sockets and Ruby.
`require ‘socket’; client = TCPSocket.net(”, 6789); client.write(“Hello!”);`

`server = TCPServer.new(‘127.0.0.1’, 6789); client = server.accept; client.recv(500);`

MongoDB – a document oriented data store. Supports native Ruby objects. Has
full index support. Uses memory mapped files for speed. Has a file storage API.
Will support sharding soon. Best use cases: Most web apps, caching (memcachedb
+ indexes), when you need high scaleability. Worst case use cases:
Transactional systems, data warehouses. Why should you use it? Fast! No
migrations, ever. Replaces memcached & tokyo. Has great Ruby support, and it’s
not mySQL. http://mongodb.org

It’s easy to contribute RSpecs to Rubiniess. One presenter showed how.

Brian Marick: How to learn from the screw-ups of the past. He’s been involved
in three movements in computer programming in the past 20 years. First, it was
lisp, which was going to take over the world, but died when it failed in the
commercial world. Second was ???, and third is Ruby. He thinks “agile” is in
trouble like lisp was in trouble. Agile was founded by people who like to
program. The key thing that was missing from agile is solidarity of action. He
ran out of time to complete his thoughts.

Coby R. announced the LA Ruby Conf – April 4th, 2009

Justin Graham showed a working example of Adhearsion (the Ruby telephone
framework for Asterik).

Pat Eyler – Ruby Brigades. You should participate in your local Ruby Brigade so that you can strengthen the community. It’s a chance to grow and learn. The best way to learn is to teach others. Simply show up. It’s discouraging when someone organizes a group and no one shows up. Get on the mailing list. Don’t just subscribe. Ask questions. Answer questions. Be involved. Give a lightning talk at the meeting.

There are two types of meetings: Ones that are a launchpad, and ones that are a destination. Don’t let your meetings become a destination. Make the world a better place.