Re: Signature contraints with a new signing cert

Mike Hearn
 

The JAR signing spec doesn't allow that unfortunately. It really should, but doesn't. We do it the same way as on Android - you generate a self signed cert and what the platform cares about is key continuity. The details in the cert don't matter because the goal isn't to tie a key to any particularĀ real world identity, just to establish a timeline over upgrades. You can of course create a cert that chains to something and use it as if the certĀ did matter.

Actually the Android "AAR" format is better than the standard JAR signing approach. AAR = JAR + alternative signing mechanism. Perhaps one day we can move to using it.

If your company publishes Android apps then it will have already found ways to deal with this style of code signing. Maybe find some Android devs and ask how they manage things, policywise?

Join corda-dev@groups.io to automatically receive all group messages.