0 Replies Latest reply on Jan 31, 2014 10:59 PM by e760f16f-fb6c-4014-ae17-e70c9c40cd73

    jarsigner and files / directories in META-INF

    e760f16f-fb6c-4014-ae17-e70c9c40cd73

      Hi all

       

      I have been struggling with signing jar files and security issues since the latest java 7 updates (as have many people)

      It seems to me there is a huge inconsistency between the jar tool and the jarsigner one.

       

      As per JAR File Specification, there may be in the META-INF directory other files that those security related (MANIFEST.MF , .SF, .RSA files) .

       

      Try INDEX.LIST: this is generated by the jar tool, but does not get signed.

       

      jarsigner -verify gives warning:This jar contains unsigned entries which have not been integrity-checked.

      (this for a simple jar with one class inside!)

       

      I found the same issue with files in the META-INF/service directory, these do not get signed either

       

      So how to deal with these issues? How to sign files in META-INF?

       

      Will this be solved soon?

       

      Help!