• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

I don't get it: what does jar signing really prevent? (See post)

 
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I always thought that jar signing prevented the alteration of a jar file (in the sense that if you added or altered a file, it would not match the signatures in the Manifest, ".SF" file or ".DSA" file). However, this isn't the case!

When I've signed a jar file and then add a file to it afterwards, it still passed the "jarsigner -verify" test! And if you look at the code (in sun's code) the jar verification never throws any exceptions if a file isn't mentioned (and signed) in the manifest.

What's going on here? Am I missing something?

Also - where does it check that the bytes of a file match the signature in the manifest? And where does it check that the manifest matches the ".SF" file?
 
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!

This is just a guess, but what happends if you use jar in java enviroment where security is on? (like applet)

Artsi
[ March 02, 2005: Message edited by: Arto Pastinen ]
 
Dan Bizman
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Same thing. I'm not saying that I only tested it, I actually looked at the source-code as well as testing it. Look at the code and you'll see it allows such alterations of a jar and will still say it's verified!
 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I remember correctly, signing a jar file is only relevant to the files already held within it. If you try and either remove or alter an existing class, the verification will fail.

I guess the reasoning is that adding classes to a jar file does not change the functionality of it so should be allowed. Not sure it makes much sense to me either, though.
reply
    Bookmark Topic Watch Topic
  • New Topic