Changing contents of signed Jar ?

[swebb99]

Hi,

If I want to unzip a signed jar and zip it backup after tweaking a file
or two do I have to sign it again ? I'm not sure if the signing process
uses the contents of the jar or not !


Thanks


Steve

 

[M.J. Dance]

Hi,

If I want to unzip a signed jar and zip it backup after tweaking a file
or two do I have to sign it again ? I'm not sure if the signing process
uses the contents of the jar or not !

Imagine this. You sign a check for, say, $1000 to pay for something. The person
who receives that check asks: is it alright to add a couple of more zeros to the
amount stated? What would you say?

 

[Dag Sunde]

Hi,

If I want to unzip a signed jar and zip it backup after tweaking a
file or two do I have to sign it again ? I'm not sure if the signing
process uses the contents of the jar or not !

Now, step back a little bit and ask yourself: "Why am I signing a jar?"

It is because i need the trust from the user, so that he will grant my
code extended priviledges (such as deleting his files).

If someone could extract, change, and rewrap a signed jar-file, wouldn't
that open the posibility for someone to change my code to do something
malicious, like actually delete all his files?

You can rest assured that every single byte in every class inside your
signed jar file is included in the hash while signing.

Change a period, and the signature *will* be invalid.

 

[Chris Uppal]

You can rest assured that every single byte in every class inside your
signed jar file is included in the hash while signing.

I believe that it's more accurate to say that each file is individually signed.
Thus (if I'm right) you can add new unsigned files to a signed JAR without
disturbing the validity of the previously-existing signatures (this is
necessary in order to allow a JAR to be signed by several entities
independently). You can modify the order of files in the JAR or change their
ZIP-level attributes (comments, permissions, etc). You can remove files from
the JAR and the remaining files will still be signed. You can even replace
individual class files and, while they will no longer be signed, all the others
will br OK, so (as long as the changed files themselves are not used in a
context where a valid signature is required), the JAR still work.

I'm not absolutely sure of all that, mind, but it's what the JAR spec and
security architecture document seem to be saying. I'd welcome correction.

Probably not useful to the OP, of course...

That raises an interesting question: are resources in a signed JAR checked
before being opened ? I can't find an answer, but I suspect it's no[*]. If
not, then it raises the interesting possibility that an applet or JWS app
supplied and signed by -- say -- the Department of the Environment, could be
hacked to display, um, inappropriate imagery. Again, I'd welcome correction if
I'm missing something, or just plain wrong.

-- chris

[*] There doesn't seem to be a "permission" which means "can [only] open signed
resources".

 

[Thomas Hawtin]

I'm not absolutely sure of all that, mind, but it's what the JAR spec and
security architecture document seem to be saying. I'd welcome correction.

A couple points worth noting: The JNLP spec requires that all jars are
signed with the same certificate. ClassLoader does not allow code signed
with the different certificates into the same actual package.

Most of the security documentation is hideously out of date. According
to the blogs, Sun now has someone working full time on code security, so
they might get better.

That raises an interesting question: are resources in a signed JAR checked
before being opened ? I can't find an answer, but I suspect it's no[*]. If
not, then it raises the interesting possibility that an applet or JWS app
supplied and signed by -- say -- the Department of the Environment, could be
hacked to display, um, inappropriate imagery. Again, I'd welcome correction if
I'm missing something, or just plain wrong.

Certainly not (trivially) with JWS. Non-JSW applets, I don't know. I
would strongly suggest not signing any code (you want something
malicious appearing to be authorised by yourself or your employer??).
And don't accept it either.

Tom Hawtin