This discussion is archived
5 Replies Latest reply: Nov 9, 2007 5:34 AM by 807603 RSS

digitally signed jar files

807603 Newbie
Currently Being Moderated
last evening, i consulted the site: http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html

however, some things are not yet totally clear to me about signing a jar file...

with a certificate, you can be sure that a jar file was created by the one you have in mind.... however, how can you verify this????
for example, if your neighbour has also a certificate (but another), upon what is the verification done to proof that the jar is from you and not from your neighbour? or how does it works?

you can also self-sign a jar, without having to buy a certificate from a third party?
  • 1. Re: digitally signed jar files
    807603 Newbie
    Currently Being Moderated
    http://en.wikipedia.org/wiki/Digital_signature
  • 2. Re: digitally signed jar files
    807603 Newbie
    Currently Being Moderated
    yes i understand that the content of a digitally signed signed can not be changed...

    1)but what if someone steals the digitally signed jar and makes copies of it?
    2)and if you neighbour gives you another, correctly digitally signed jar with other content... then you're fooled? or how can you verify that it came from your neighbour?
  • 3. Re: digitally signed jar files
    807603 Newbie
    Currently Being Moderated
    Sunneke31 wrote:
    yes i understand that the content of a digitally signed signed can not be changed...
    Your questions seem to indicate that you don't fully understand the concept of a digital signature.

    >
    1)but what if someone steals the digitally signed jar and makes copies of it?
    Then they have a perfectly valid copy of the jar. Signing a document (or jar file or anything) does not stop it being copied. If you want to stop copying then you need to read up on Digital Money.
    2)and if you neighbour gives you another, correctly digitally signed jar with other content... then you're fooled? or how can you verify that it came from your neighbour?
    Then your 'neighbour' will have have access to the private key associated with a certificate verified and signed by one of the trusted certificate authorities. Java Applets jars are verified using certificates in the Web Browser's trusted certificates and Webstart jars are verified as being signed by a certificate in the cacerts certificate store.

    If your 'neighbour' signs a jar file using a private key without an associated certificate held in your certificate store the the application will not be able to verify the jar. If the jar can be verified then you have to trust it if you trust the certificate authority who signed the certificate you are using to verify against.

    Edited by: sabre150 on Nov 9, 2007 12:51 PM
  • 4. Re: digitally signed jar files
    807603 Newbie
    Currently Being Moderated
    Okay, but here comes the last thing...

    If you receive a digitally signed jar from someone, that includes a certificate and a public key.

    It's just a jar on a CD-ROM, so no browser comes into play which has functionality and a list of trusted certificates.... You have to work with a command line tool (or you can eventually write some lines of code).

    1)Can you verify the certificate with a simple command line command?
    2)So you (as the receiver of the jar file) need to obtain an exact copy the certificate in advance to compare it against the certificate that is inside the jar?
  • 5. Re: digitally signed jar files
    807603 Newbie
    Currently Being Moderated
    Sunneke31 wrote:
    Okay, but here comes the last thing...

    If you receive a digitally signed jar from someone, that includes a certificate and a public key.

    It's just a jar on a CD-ROM, so no browser comes into play which has functionality and a list of trusted certificates.... You have to work with a command line tool (or you can eventually write some lines of code).

    1)Can you verify the certificate with a simple command line command?
    jarsigner -verify ...
    2)So you (as the receiver of the jar file) need to obtain an exact copy the certificate in advance to compare it against the certificate that is inside the jar?
    The certificate does not need to be stored in the jar file, just the signature plus some simple certificate identification information. Certificates are public property. I publish mine on my web site.

    Given a jar file, any certificate it contains is verified against the list of trusted certificate authorities in the certificate store and then the certificate is used to verify the jar.