= Signed Renew - The Signed Reference Net Workshop = [http://renew.de Renew] is a high-level Petri net simulator written in Java. Signed Renew contains two plugins which are not included in the normal Renew release. The two Plugins are the SignatureCheck Plugin and the NetSigner Plugin. Both Plugins use signatures to build trust between the author of a work and the product. The SignatureCheck Plugin does this for Plugins and the NetSigner Plugin for Nets. '''Here we provide a download for reviewers: TODO''' == Installation == Before you can use [http://renew.de Renew], you must have Java 11 or higher installed. If you have not done this yet, we suggest that you get the latest Java Development Kit from [https://www.oracle.com/java/ Oracle-Java] or from [https://adoptopenjdk.net/ AdoptOpenJDK] where versions for Windows, Linux, MacOS are available. [http://renew.de Renew] only requries the Java Runtime Environment (JRE), but it is no longer distributed separately. There are many other platforms that cannot be listed here. For the installation of the Java platforms, please refer to the instructions that come with the executables. [http://renew.de Renew] is a full Java application, not an applet, and it is not intended to be used from WWW browsers like Mozilla or Internet Explorer. You must install a up to date standalone Java. This release currently onyl contains the manual start option. You can always start [http://renew.de Renew] manually, which is not very difficult after all. java -p path/to/renew4.0:path/to/renew4.0/libs -m path/to/renew4.0/de.renew.loader gui will start the renew editor, if the archive was extracted to /path/to. Depending on your system you may need to issue a different command. When in the /path/to/renew4.0 directory, relative paths may shorten this command to java -p .:libs -m de.renew.loader gui Windows needs a slightly different command: java -p ".;libs" -m de.renew.loader gui The documentation contains a few hints on alternative commands or settings to start the application. == SignatureCheck Plugin == The SignatureCheck Plugin ensures that only signed plugins get loaded. This is useful, if the plugin gets distributed over an unsecure channel, for example a server which is not under the control of the author. The plugin uses OpenPGP signatures generated by [https://docs.gradle.org/current/userguide/signing_plugin.html Gradles Signing Plugin]. The signatures are compatible with the format required by the [http://central.sonatype.org/pages/requirements.html#sign-files-with-gpgpgp Maven Central Repository]. Signed Plugins can not be modified by untrusted third parties. This makes it possible that the plugin can be stored on a server, which isn't in the control of the plugin author. Which authors are trustworthy can be decided by the user. Only plugins from these authors will be loaded. Using only plugins, which are linked via a signature to trusted authors provides security advantages. Unknown third parties can't disguise themself as trusted authors. == NetSigner Plugin == Renews Net Drawings can contain Java code. This code will be executed in simulations and can do changes to the computer on which the code runs. There should be a straightforward way to know who wrote the Java code inside the Net, so a user can decide if they trust the author. The NetSigner Plugin can provide this information. This plugin uses X.509 Certificates to check the identity of a user. Every user who wants to sign a Net Drawing needs a X.509 a Code Signing Certificate or a personal E-Mail Certificate. Signed nets provide information about who signed it. So a user can check that the file comes from the right author, even when the file was transmitted over an untrusted way (for example a file host website, an unencrypted E-Mail or any third person). The verification of the identity comes from a trusted Certificate Authority (CA). The author verified it's identity to the CA and the programm has a list of CAs that are trustworthy. It is the same technology which is used by signed executables (executables or installers which show a Company name in the admin privilige Screen on Windows). It also protects the file from manipulation. The signature contains a hash (checksum) over the Net. So nobody can modify the Net without breaking the signature. A storage or transmittion error can also be detected as manipulation, but cannot be fixed by this format. == Further reading == For more information about the signature part of this release read the doc/NetSignerPlugin.md and the doc/SignatureCheckPlugin.md. These introduce the two plugins which make this release the Signed [http://renew.de Renew] . Some examples which highlight the features of this release are described in doc/NetSignerExample.md and the doc/SignatureCheckExample.md. Consult the file [http://renew.de Renew] User Guide for more information about the usage of [http://renew.de Renew] and the syntax and semantics of reference nets.