Sunneke31 wrote:Your questions seem to indicate that you don't fully understand the concept of a digital signature.
yes i understand that the content of a digitally signed signed can not be changed...
1)but what if someone steals the digitally signed jar and makes copies of it?Then they have a perfectly valid copy of the jar. Signing a document (or jar file or anything) does not stop it being copied. If you want to stop copying then you need to read up on Digital Money.
2)and if you neighbour gives you another, correctly digitally signed jar with other content... then you're fooled? or how can you verify that it came from your neighbour?Then your 'neighbour' will have have access to the private key associated with a certificate verified and signed by one of the trusted certificate authorities. Java Applets jars are verified using certificates in the Web Browser's trusted certificates and Webstart jars are verified as being signed by a certificate in the cacerts certificate store.
Sunneke31 wrote:jarsigner -verify ...
Okay, but here comes the last thing...
If you receive a digitally signed jar from someone, that includes a certificate and a public key.
It's just a jar on a CD-ROM, so no browser comes into play which has functionality and a list of trusted certificates.... You have to work with a command line tool (or you can eventually write some lines of code).
1)Can you verify the certificate with a simple command line command?
2)So you (as the receiver of the jar file) need to obtain an exact copy the certificate in advance to compare it against the certificate that is inside the jar?The certificate does not need to be stored in the jar file, just the signature plus some simple certificate identification information. Certificates are public property. I publish mine on my web site.