Dag said:
You can rest assured that every single byte in every class inside your
signed jar file is included in the hash while signing.
I believe that it's more accurate to say that each file is individually signed.
Thus (if I'm right) you can add new unsigned files to a signed JAR without
disturbing the validity of the previously-existing signatures (this is
necessary in order to allow a JAR to be signed by several entities
independently). You can modify the order of files in the JAR or change their
ZIP-level attributes (comments, permissions, etc). You can remove files from
the JAR and the remaining files will still be signed. You can even replace
individual class files and, while they will no longer be signed, all the others
will br OK, so (as long as the changed files themselves are not used in a
context where a valid signature is required), the JAR still work.
I'm not absolutely sure of all that, mind, but it's what the JAR spec and
security architecture document seem to be saying. I'd welcome correction.
Probably not useful to the OP, of course...
That raises an interesting question: are resources in a signed JAR checked
before being opened ? I can't find an answer, but I suspect it's no[*]. If
not, then it raises the interesting possibility that an applet or JWS app
supplied and signed by -- say -- the Department of the Environment, could be
hacked to display, um, inappropriate imagery. Again, I'd welcome correction if
I'm missing something, or just plain wrong.
-- chris
[*] There doesn't seem to be a "permission" which means "can [only] open signed
resources".