• Post Reply Bookmark Topic Watch Topic
  • New Topic

Signing JAR Files  RSS feed

 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I want to know what is the purpose of siging the jar files? For Example: If i want to send my files to my client/whoever it is, instead of sending all tghe files separately, we are compressing and sending as a sinfle Jar file just like Zip file(?).

Signing the Jar file is like zipping the file with password protection?
What is the purpose of verfication?
Please clarify my doubts. I have read the Sun site for Jaring, but I confused.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, signing has nothing to do with password protection. During signing a digital certificate is applied to the jar file (your certificate in this case). It essentially tells the user: This file war created by Mark Henryson, it has not been tampered with since he created it, and Mark vouches for the file contents. Seeing your certificate, users who know you would presumably have a better feeling about using the file.

Signing a jar file is often used with applets, in order to get around the restrictions that browsers generally place on their execution. If the user accepts an applets certificate, then the security restrictions no longer apply.
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your prompt reply.
But I have one doubt, how will the user/client uniquely identify, whether this jar has been written by Mark(Henryson). Since the user can get the jars from another Mark(Taylor) also.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The certificate includes your full name, location and organization, so it's unlikely that someone else would have the same information in their certificate.
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your prompt reply.
But I have one doubt, how will the user/client uniquely identify, whether this jar has been written by Mark(Henryson). Since the user can get the jars from another Mark(Taylor) also.
 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You get (or rather, you buy) an official certificate from a trusted third party, for example a company like Verisign. Verisign tells the client "This is Mark Henryson's certificate and we guarantee you that it is an official certificate that has not been tampered with".

You can also generate your own certificate with the tools in the JDK, but ofcourse that's not very useful for for real purposes, because the client has no reason to believe your cerificate is trustworthy if you generate it yourself.
[ October 31, 2006: Message edited by: Jesper Young ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!