How to verify a jar signed with jarsigner programmatically

by

You can simply open the JAR with java.util.jar.JarFile and tell it to verify the JAR file. If the JAR is signed, then JarFile has the option to verify it (which is on by default). However, JarFile will also open unsigned JARs happily, therefore you must also check, whether or not the file is signed. You can do so by checking the JAR’s manifest for *-Digest attributes: Elements with such an attribute attribute are signed.

Example:

JarFile jar = new JarFile(new File("path/to/your/jar-file"));

// This call will throw a java.lang.SecurityException if someone has tampered
// with the signature of _any_ element of the JAR file.
// Alas, it will proceed without a problem if the JAR file is not signed at all
InputStream is = jar.getInputStream(jar.getEntry("META-INF/MANIFEST.MF"));
Manifest man = new Manifest(is);
is.close();

Set<String> signed = new HashSet();
for(Map.Entry<String, Attributes> entry: man.getEntries().entrySet()) {
    for(Object attrkey: entry.getValue().keySet()) {
        if (attrkey instanceof Attributes.Name && 
           ((Attributes.Name)attrkey).toString().indexOf("-Digest") != -1)
            signed.add(entry.getKey());
    }
}

Set<String> entries = new HashSet<String>();
for(Enumeration<JarEntry> entry = jar.entries(); entry.hasMoreElements(); ) {
    JarEntry je = entry.nextElement();
    if (!je.isDirectory())
        entries.add(je.getName());
}

// contains all entries in the Manifest that are not signed.
// Ususally, this contains:
//  * MANIFEST.MF itself
//  * *.SF files containing the signature of MANIFEST.MF
//  * *.DSA files containing public keys of the signer

Set<String> unsigned = new HashSet<String>(entries);
unsigned.removeAll(signed);

// contains all the entries with a signature that are not present in the JAR
Set<String> missing = new HashSet<String>(signed);
missing.removeAll(entries);

More Related Contents:

  1. Appearance of Java Security dialog
  2. How to convert .pfx file to keystore with private key?
  3. How to show digital PDF signature in all document’s Page using iText?
  4. Using a PEM encoded, encrypted private key to sign a message natively
  5. Absolute minimum code to get a valid oauth_signature populated in Java or Groovy?
  6. Android keystore stopped working
  7. String.equals versus == [duplicate]
  8. How do I use optional parameters in Java?
  9. SSH library for Java [closed]
  10. How is an instance initializer different from a constructor?
  11. Switch tabs using Selenium WebDriver with Java
  12. What does “error: unreported exception ; must be caught or declared to be thrown” mean and how do I fix it?
  13. When is the static block of a class executed?
  14. Java HashMap performance optimization / alternative
  15. How to add 10 minutes to my (String) time?
  16. Start of week for locale using Joda-Time
  17. Error “ClassNotFoundException” in IntelliJ IDEA
  18. Java 8 Stream IllegalStateException: Stream has already been operated on or closed
  19. build maven project with propriatery libraries included [duplicate]
  20. Java varargs method param list vs. array
  21. Java: no security manager: RMI class loader disabled
  22. How to send byte[] as pdf to browser in java web application?
  23. Can I chain async task sequentially (starting one after the previous asynctask completes)
  24. How can I install “Android Support Library” to deploy a Gluon Mobile application to Android?
  25. How do I get the row count in JDBC?
  26. How can I run JavaScript code at server side Java code?
  27. Get the file size in android sdk?
  28. How to detect when a variable changes value
  29. Convert colorPrimary to colorPrimaryDark (how much darker)
  30. Including external jar-files in a new jar-file build with Ant

Leave a Comment