signjar & jar:sign vs Artifactory checksum

Question

If, as part of my build, I sign a jar via Ant's signjar task, it will then be considered a "signed jar". The same thing can be accomplished in Maven-land by executing the jar:sign goal.

Repository managers such as Artifactory have the concept of checksums where you can fail deployments on bad checksums, you can recalculate bad/missing checksums, and take all sorts of other actions based on checksum status.

I'm wondering what the relationship is between the results ("signing") of jars via methods like signjar or jar:sign to Artifactory's notion of checksums.

Are "checksums" just a generic term for what is produced by running these signature tasks/goals? Or are they completely different items altogether?

Answer 1

Checksum is a numeric representation of file's content. Signing is a process of adding signature to the file.

Since the size and the content of file change during the signing, checksums of the same file singed and unsigned will be different.

The process of verifying file transfer success with checksums is not special to Artifactory. For upload it goes like this:

1. Client calculates checksum before uploading the file.
2. Client uploads the checksum along the file (usually in separate text file with .md5 or sha1 extensions, which are two ways of calculating checksums).
3. After the upload server calculates checksum on uploaded file.
4. The server compares its checksum with the uploaded checksum. If they match - all green. If not - that depends on the settings you mentioned in your question (fail the upload, or pass it anyway).

When you use build tool (Maven or Ivy) to deploy jars to Artifactory after signing, the calculated checksum will be the correct one (of the signed jar), so everything should work as expected.

Answer 2

A signed jar gives a guarantee that its content been created by the person who signed it. While check sum is just a check that file is intact. For example, someone can modify file and change check sum to match the new content.