More replace options

[Vampire]

You can currently select to replace all signatures or append to the existing signatures. It would be nice if replacing would have more options, for example "replace signatures by same certificate" to keep all signatures except ones created with the same certificate, and "replace signatures by same subject" to keep all signatures except one created with a certificate with the same subject.

Maybe additionally it could also make sense to have a way to filter the certiificates to keep or replace by some Certificate->boolean function.

[ebourg]

Thank you for the suggestion, I see two ways this could be implemented:

• either the --replace option accepts an optional parameter to select an existing certificate. It could be the subject (partial match), the fingerprint or the digest algorithm
• or add a remove command: jsign remove --cert foo --application.exe, and the new signature is added with a second call to jsign

[Vampire]

Actually, I more spoke about the programmatic usage, not the the CLI, but adding it to the CLI could of course also make sense and would probably cause the necessary API to also be added. :-D

[ebourg]

Oh ok, in this case we could add a removeSignatures(Function<SignerInformation, boolean> filter) method in the Signable interface.

[Vampire]

Something like that for the "additional" point at least.

But it might be convenient to also have the "replace same certificate" and "replace same subject" options. Where you would call the removeSignatures, you right now just have the keystore file. Of course you can open the keystore file and get the certificate information from it, but it might be convenient to have these options built-in.

Maybe just as ready-made implementations of Function<SignerInformation, boolean> that get the keystore information as arguments.

[ebourg]

Why would you want to replace a signature with the same certificate? Wouldn't that generate the exact same signature?

[Vampire]

Not exactly the same, as the timestamp will be more recent.

But the actual case is, we have some things that are already signed with our certificate. We have some things that are signed with some 3rd party certificate. And we have some things that are not signed at all.

All these three things are combined to one end-result and in the end-result all 3rd party signatures should be preserved, but all files must also be signed with our certificate. If I just do sign all files without replace, the files that are already signed end up having two signatures from the same certificate.

Replacing signatures from the same subject would be sufficient for this already, but there might be use-cases where you want to keep the signature with the old certificate for the same subject but replace signatures that were done with the same signature already.