I always thought that jar signing prevented the alteration of a jar file (in the sense that if you added or altered a file, it would not match the signatures in the Manifest, ".SF" file or ".DSA" file). However, this isn't the case!
When I've signed a jar file and then add a file to it afterwards, it still passed the "jarsigner -verify"
test! And if you look at the code (in sun's code) the jar verification never throws any exceptions if a file isn't mentioned (and signed) in the manifest.
What's going on here? Am I missing something?
Also - where does it check that the bytes of a file match the signature in the manifest? And where does it check that the manifest matches the ".SF" file?