Sign JARs of all official releases.

.cvsignore

@@ -3,3 +3,4 @@ target
 build.properties
 *.log
 .clover
+*.keystore

build.xml

@@ -57,6 +57,7 @@
 		<echo message="release  --> build a distribution ZIP file"/>
 		<echo message=""/>
 		<echo message="To build or test, your lib directory needs to be populated"/>
+		<echo message="To release, you require a code signing certificate setup"/>
 	</target>
 
 
@@ -324,6 +325,13 @@
 			<exclude name="project.properties"/>
 		</fileset>
 
+		<!-- To create your own free signing certificate, see http://www.dallaway.com/acad/webstart/  -->
+		<signjar lazy="true" alias="${signature.alias}" storepass="${signature.storepass}" keystore="${signature.keystore}">
+			<fileset dir="${dist.dir}">
+				<include name="*.jar"/>
+			</fileset>
+		</signjar>
+
 		<zip zipfile="${target.release.dir}/${release.zip}">
 			<zipfileset refid="main" prefix="${release.path}"/>
 		</zip>
@@ -410,6 +418,8 @@
 		       <exclude name="**/DenyAgainVoter.java"/>
 		       <exclude name="**/*TargetObject.java"/>
 		       <exclude name="**/Mock*.java"/>
+		       <exclude name="**/TestLoginModule*.java"/>
+		       <exclude name="**/SomeDomain*.java"/>
 		    </files>
 			<statementContext id="nolog" regexp="^if \(logger.*\).*}"/>
 			<statementContext id="nojbosslog" regexp="^if \(super.logger.*\).*}"/>

changelog.txt

@@ -10,6 +10,7 @@ Changes in version 0.6 (2004-xx-xx)
 * Added AuthenticationProvider that wraps JAAS login modules
 * Added support for EL expressions in the authz tag library
 * Added failed Authentication object to AuthenticationExceptions
+* Added signed JARs to all official release builds (see readme.txt)
 * Updated Authentication to be serializable (Weblogic support)
 * Updated to Clover 1.3
 * Updated to HSQLDB version 1.7.2 Release Candidate 6D

docs/reference/src/index.xml

@@ -37,6 +37,19 @@
   <chapter id="security">
     <title>Security</title>
 
+    <sect1 id="security-before-you-begin">
+      <title>Before You Begin</title>
+
+      <para>For your security, each official release JAR of Acegi Security has
+      been signed by the project leader. This does not in any way alter the
+      liability disclaimer contained in the License, but it does ensure you
+      are using a properly reviewed, official build of Acegi Security. Please
+      refer to the <literal>readme.txt</literal> file in the root of the
+      release distribution for instructions on how to validate the JARs are
+      correctly signed, and which certificate has been used to sign
+      them.</para>
+    </sect1>
+
     <sect1 id="security-introduction">
       <title>Introduction</title>
 

readme.txt

@@ -12,6 +12,27 @@ The Spring Framework (http://www.springframework.org).
 For a detailed list of features and access to the latest release, please visit
 http://acegisecurity.sourceforge.net.
 
+-------------------------------------------------------------------------------
+SIGNED JAR FILES
+-------------------------------------------------------------------------------
+
+We strongly recommend that you verify the integrity of the JAR files included
+in this release. You can do so using the following command:
+
+    "jarsigner -verify -verbose -certs jar_file_name"
+
+Of course, replace the jar_file_name with "dist/acegi-security.jar" or the
+appropriate path to the Acegi Security JAR to be validated.
+
+Until further notice, all Acegi Security official releases are signed by:
+
+  X.509, EMAILADDRESS=ben.alex@acegi.com.au, CN=Benjamin Peter Alex, GIVENNAME=Benjamin Peter, SURNAME=Alex
+  X.509, CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA -->
+
+If the above certificate was not used, or the JAR was not validated, DO NOT
+USE THE JAR. Please email the acegisecurity-developers list (contact details
+are provided below) for further assistance.
+
 -------------------------------------------------------------------------------
 ANT HELP
 -------------------------------------------------------------------------------