How to verify a jar signed with jarsigner programmatically

java code-signing signature jarsigner
James Carr picture James Carr · Sep 3, 2009 · Viewed 33.6k times · Source

I'm wanting to sign a jar using jarsigner, then verify it using a Java application which does not have the signed jar as part of it's classpath (i.e. just using a filesystem location of the jar)

Now my problem is getting the signature file out of the jar, is there a simple way to do this?

I've had a play with the Inflater and Jar InputStreams with no luck.

Or is this something that can be accomplished in a better way?

Thanks

Answer

nd. picture nd. · Nov 25, 2009

You can simply open the JAR with java.util.jar.JarFile and tell it to verify the JAR file. If the JAR is signed, then JarFile has the option to verify it (which is on by default). However, JarFile will also open unsigned JARs happily, therefore you must also check, whether or not the file is signed. You can do so by checking the JAR's manifest for *-Digest attributes: Elements with such an attribute attribute are signed.

Example:

JarFile jar = new JarFile(new File("path/to/your/jar-file"));

// This call will throw a java.lang.SecurityException if someone has tampered
// with the signature of _any_ element of the JAR file.
// Alas, it will proceed without a problem if the JAR file is not signed at all
InputStream is = jar.getInputStream(jar.getEntry("META-INF/MANIFEST.MF"));
Manifest man = new Manifest(is);
is.close();

Set<String> signed = new HashSet();
for(Map.Entry<String, Attributes> entry: man.getEntries().entrySet()) {
    for(Object attrkey: entry.getValue().keySet()) {
        if (attrkey instanceof Attributes.Name && 
           ((Attributes.Name)attrkey).toString().indexOf("-Digest") != -1)
            signed.add(entry.getKey());
    }
}

Set<String> entries = new HashSet<String>();
for(Enumeration<JarEntry> entry = jar.entries(); entry.hasMoreElements(); ) {
    JarEntry je = entry.nextElement();
    if (!je.isDirectory())
        entries.add(je.getName());
}

// contains all entries in the Manifest that are not signed.
// Ususally, this contains:
//  * MANIFEST.MF itself
//  * *.SF files containing the signature of MANIFEST.MF
//  * *.DSA files containing public keys of the signer

Set<String> unsigned = new HashSet<String>(entries);
unsigned.removeAll(signed);

// contains all the entries with a signature that are not present in the JAR
Set<String> missing = new HashSet<String>(signed);
missing.removeAll(entries);

Related questions

How to set a custom keystore for debugging in eclipse for android

I have a custom keystore that I use for signing my apk. now I want to use the same keystore for debugging. when I go to eclipse->windows->preferences->android->build and set my custom key …

Read More
Signing a jar file with trusted certificate for JWS deployment

I've developed an open source program, WPCleaner, which is distributed through Java Web Start. Current version is available at http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp With the recent updates in Java, it becomes more and more difficult to …

Read More
Java applet with self-signed certificate on OS X Mountain Lion

We have a Java applet that needs to run with full trust. While developing and during pre-release tests we sign it using a self-signed certificate (the production version is signed with a real code signing certificte). But when we try …

Read More