I have been struggling with signing jar files and security issues since the latest java 7 updates (as have many people)
It seems to me there is a huge inconsistency between the jar tool and the jarsigner one.
As per JAR File Specification, there may be in the META-INF directory other files that those security related (MANIFEST.MF , .SF, .RSA files) .
Try INDEX.LIST: this is generated by the jar tool, but does not get signed.
jarsigner -verify gives warning:This jar contains unsigned entries which have not been integrity-checked.
(this for a simple jar with one class inside!)
I found the same issue with files in the META-INF/service directory, these do not get signed either
So how to deal with these issues? How to sign files in META-INF?
Will this be solved soon?