• Post Reply Bookmark Topic Watch Topic
  • New Topic

I don't get it: what does jar signing really prevent? (See post)  RSS feed

 
Dan Bizman
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I always thought that jar signing prevented the alteration of a jar file (in the sense that if you added or altered a file, it would not match the signatures in the Manifest, ".SF" file or ".DSA" file). However, this isn't the case!

When I've signed a jar file and then add a file to it afterwards, it still passed the "jarsigner -verify" test! And if you look at the code (in sun's code) the jar verification never throws any exceptions if a file isn't mentioned (and signed) in the manifest.

What's going on here? Am I missing something?

Also - where does it check that the bytes of a file match the signature in the manifest? And where does it check that the manifest matches the ".SF" file?
 
Arto Pastinen
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!

This is just a guess, but what happends if you use jar in java enviroment where security is on? (like applet)

Artsi
[ March 02, 2005: Message edited by: Arto Pastinen ]
 
Dan Bizman
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Same thing. I'm not saying that I only tested it, I actually looked at the source-code as well as testing it. Look at the code and you'll see it allows such alterations of a jar and will still say it's verified!
 
Pete Harris
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I remember correctly, signing a jar file is only relevant to the files already held within it. If you try and either remove or alter an existing class, the verification will fail.

I guess the reasoning is that adding classes to a jar file does not change the functionality of it so should be allowed. Not sure it makes much sense to me either, though.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!