Determine jar signer

Discussion in 'Java' started by Arn Cota, Jun 28, 2005.

  1. Arn Cota

    Arn Cota Guest

    Hi,

    I am trying to develop some code that takes a directory full of jars, and
    determines if the jars are signed, and if so, by whom. Any pointers?

    Thanks
    Arn Cota, Jun 28, 2005
    #1
    1. Advertising

  2. Arn Cota

    Roedy Green Guest

    On Tue, 28 Jun 2005 09:29:10 -0400, "Arn Cota" <>
    wrote or quoted :

    >I am trying to develop some code that takes a directory full of jars, and
    >determines if the jars are signed, and if so, by whom. Any pointers?


    a jar is just a zip file with a manifest file. Use the zip classes to
    determine it.

    import java.io.File;
    import java.io.FileOutputStream;
    import java.io.IOException;
    import java.util.zip.ZipEntry;
    import java.util.zip.ZipInputStream;

    See http://mindprod.com/jgloss/jarfile.html#MANIFEST

    for sample code see http://mindprod.com/jgloss/zip.html

    --
    Bush crime family lost/embezzled $3 trillion from Pentagon.
    Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
    http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

    Canadian Mind Products, Roedy Green.
    See http://mindprod.com/iraq.html photos of Bush's war crimes
    Roedy Green, Jun 28, 2005
    #2
    1. Advertising

  3. Thomas Weidenfeller, Jun 28, 2005
    #3
  4. Arn Cota

    Arn Cota Guest

    Thanks. I have been pulling the "Implementation-Vendor" entry out of the
    manifest and using this as the name of the signer, is this correct? The
    mindprod.com link seems to be broken by the way.

    "Roedy Green" <> wrote in message
    news:...
    > On Tue, 28 Jun 2005 09:29:10 -0400, "Arn Cota" <>
    > wrote or quoted :
    >
    >>I am trying to develop some code that takes a directory full of jars, and
    >>determines if the jars are signed, and if so, by whom. Any pointers?

    >
    > a jar is just a zip file with a manifest file. Use the zip classes to
    > determine it.
    >
    > import java.io.File;
    > import java.io.FileOutputStream;
    > import java.io.IOException;
    > import java.util.zip.ZipEntry;
    > import java.util.zip.ZipInputStream;
    >
    > See http://mindprod.com/jgloss/jarfile.html#MANIFEST
    >
    > for sample code see http://mindprod.com/jgloss/zip.html
    >
    > --
    > Bush crime family lost/embezzled $3 trillion from Pentagon.
    > Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
    > http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm
    >
    > Canadian Mind Products, Roedy Green.
    > See http://mindprod.com/iraq.html photos of Bush's war crimes
    Arn Cota, Jun 28, 2005
    #4
  5. Arn Cota

    Arn Cota Guest

    Ah, thank you!

    "Thomas Weidenfeller" <> wrote in message
    news:d9rq9g$nia$...
    > Arn Cota wrote:
    >> Hi,
    >>
    >> I am trying to develop some code that takes a directory full of jars, and
    >> determines if the jars are signed, and if so, by whom. Any pointers?

    >
    > Sun's standard documentation:
    >
    > http://java.sun.com/j2se/1.5.0/docs/guide/jar/jar.html
    > http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/package-summary.html
    >
    > /Thomas
    >
    >
    > --
    > The comp.lang.java.gui FAQ:
    > ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq
    > http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/
    Arn Cota, Jun 28, 2005
    #5
  6. On Tue, 28 Jun 2005 11:37:08 -0400, Arn Cota wrote:
    > "Roedy Green" <> wrote in message


    >> a jar is just a zip file with a manifest file. Use the zip classes to
    >> determine it.

    ...
    >> See http://mindprod.com/jgloss/jarfile.html#MANIFEST


    > .. The
    > mindprod.com link seems to be broken by the way.


    I think Roedy meant
    <http://mindprod.com/jgloss/jar.html#MANIFEST>

    [ Note: Follow-ups set to c.l.j.programmer ]

    HTH

    --
    Andrew Thompson
    http://www.PhySci.org/codes/ Web & IT Help
    http://www.PhySci.org/ Open-source software suite
    http://www.1point1C.org/ Science & Technology
    http://www.LensEscapes.com/ Images that escape the mundane
    Andrew Thompson, Jun 28, 2005
    #6
  7. Arn Cota

    Joel Kamentz Guest

    Implementation Vendor is not related to signer.

    How much do you care about the accuracy of the answer? For example, if
    you're making trust decisions in something like the Java Plug-in, you have
    to be completely correct about this kind of stuff. But, for simple
    utilities which answer is this jar already signed? by whom? It might not be
    necessary to do so much work.

    Unfortunately, there are no ready-made routines in the Java API to do what
    you want. Since you talk about writing code, I'm assuming you want Java
    code, rather than a shell script which calls jarsigner -verify on each jar
    in the directory.

    The proper way to determine whether a jar is signed seems to be the
    following:

    Create a jar file with verification turned on (which is the default). For
    each file entry NOT under /META-INF/, fully read the entry bytes (get the
    input stream and read until it's empty). Note that while META-INF is
    supposed to be upper case, the guidelines suggest that tools should be able
    to handle it case insensitively. Only after the entry is fully read can you
    truly get the certificates / signer information for it.

    If you're using Java 1.5+, you can call getCodeSigners() on the jar entry.
    If you're using Java <1.5, things are a whole lot more work.

    Look for a CodeSigner (or at least a CertPath used within the CodeSigner)
    which is common to all of the non-meta-inf entries. (Individual entries in
    a jar are signed, it just usually happens that the entire content of a jar
    is signed. However, someone could sign a jar, then add some more entries
    and then sign it again with a different signature. All of the entries would
    be signed by signature 2 but only some of them would be signed by signature
    1. For trust decisions like whether to copy a downloaded jar into a trusted
    location, you MUST be certain that ALL of the content in a jar is
    trustworthy first!)

    Signatures don't really mean anything unless they can be verified to be
    issued by a trusted certificate authority. For making trust decisions you
    should also verify that the CertPath is consistent, currently valid and has
    a trusted root. Etc. Etc.



    If all you want is a quick and dirty utility to dump out info for the 99%
    case, use jarsigner -verify or open the jar and start going through
    non-meta-inf entries which are files. Read the entry data fully. get the
    signers. If there are any, dump the info and stop -- most of the time, if a
    jar is signed, the entire jar is signed and by only one signer.


    Joel



    "Arn Cota" <> wrote in message
    news:d9rqr6$8dh$...
    > Thanks. I have been pulling the "Implementation-Vendor" entry out of the
    > manifest and using this as the name of the signer, is this correct? The
    > mindprod.com link seems to be broken by the way.
    >
    > "Roedy Green" <> wrote in message
    > news:...
    >> On Tue, 28 Jun 2005 09:29:10 -0400, "Arn Cota" <>
    >> wrote or quoted :
    >>
    >>>I am trying to develop some code that takes a directory full of jars, and
    >>>determines if the jars are signed, and if so, by whom. Any pointers?

    >>
    >> a jar is just a zip file with a manifest file. Use the zip classes to
    >> determine it.
    >>
    >> import java.io.File;
    >> import java.io.FileOutputStream;
    >> import java.io.IOException;
    >> import java.util.zip.ZipEntry;
    >> import java.util.zip.ZipInputStream;
    >>
    >> See http://mindprod.com/jgloss/jarfile.html#MANIFEST
    >>
    >> for sample code see http://mindprod.com/jgloss/zip.html
    >>
    >> --
    >> Bush crime family lost/embezzled $3 trillion from Pentagon.
    >> Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
    >> http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm
    >>
    >> Canadian Mind Products, Roedy Green.
    >> See http://mindprod.com/iraq.html photos of Bush's war crimes

    >
    >
    Joel Kamentz, Jun 28, 2005
    #7
  8. Arn Cota

    Arn Cota Guest

    I am using the information to group files together for jnlp/webstart setup.
    I am not sure how restrictive that is.

    "Joel Kamentz" <> wrote in message
    news:d9rsh0$971$...
    > Implementation Vendor is not related to signer.
    >
    > How much do you care about the accuracy of the answer? For example, if
    > you're making trust decisions in something like the Java Plug-in, you have
    > to be completely correct about this kind of stuff. But, for simple
    > utilities which answer is this jar already signed? by whom? It might not
    > be necessary to do so much work.
    >
    > Unfortunately, there are no ready-made routines in the Java API to do what
    > you want. Since you talk about writing code, I'm assuming you want Java
    > code, rather than a shell script which calls jarsigner -verify on each jar
    > in the directory.
    >
    > The proper way to determine whether a jar is signed seems to be the
    > following:
    >
    > Create a jar file with verification turned on (which is the default). For
    > each file entry NOT under /META-INF/, fully read the entry bytes (get the
    > input stream and read until it's empty). Note that while META-INF is
    > supposed to be upper case, the guidelines suggest that tools should be
    > able to handle it case insensitively. Only after the entry is fully read
    > can you truly get the certificates / signer information for it.
    >
    > If you're using Java 1.5+, you can call getCodeSigners() on the jar entry.
    > If you're using Java <1.5, things are a whole lot more work.
    >
    > Look for a CodeSigner (or at least a CertPath used within the CodeSigner)
    > which is common to all of the non-meta-inf entries. (Individual entries
    > in a jar are signed, it just usually happens that the entire content of a
    > jar is signed. However, someone could sign a jar, then add some more
    > entries and then sign it again with a different signature. All of the
    > entries would be signed by signature 2 but only some of them would be
    > signed by signature 1. For trust decisions like whether to copy a
    > downloaded jar into a trusted location, you MUST be certain that ALL of
    > the content in a jar is trustworthy first!)
    >
    > Signatures don't really mean anything unless they can be verified to be
    > issued by a trusted certificate authority. For making trust decisions you
    > should also verify that the CertPath is consistent, currently valid and
    > has a trusted root. Etc. Etc.
    >
    >
    >
    > If all you want is a quick and dirty utility to dump out info for the 99%
    > case, use jarsigner -verify or open the jar and start going through
    > non-meta-inf entries which are files. Read the entry data fully. get the
    > signers. If there are any, dump the info and stop -- most of the time, if
    > a jar is signed, the entire jar is signed and by only one signer.
    >
    >
    > Joel
    >
    >
    >
    > "Arn Cota" <> wrote in message
    > news:d9rqr6$8dh$...
    >> Thanks. I have been pulling the "Implementation-Vendor" entry out of the
    >> manifest and using this as the name of the signer, is this correct? The
    >> mindprod.com link seems to be broken by the way.
    >>
    >> "Roedy Green" <> wrote in message
    >> news:...
    >>> On Tue, 28 Jun 2005 09:29:10 -0400, "Arn Cota" <>
    >>> wrote or quoted :
    >>>
    >>>>I am trying to develop some code that takes a directory full of jars,
    >>>>and
    >>>>determines if the jars are signed, and if so, by whom. Any pointers?
    >>>
    >>> a jar is just a zip file with a manifest file. Use the zip classes to
    >>> determine it.
    >>>
    >>> import java.io.File;
    >>> import java.io.FileOutputStream;
    >>> import java.io.IOException;
    >>> import java.util.zip.ZipEntry;
    >>> import java.util.zip.ZipInputStream;
    >>>
    >>> See http://mindprod.com/jgloss/jarfile.html#MANIFEST
    >>>
    >>> for sample code see http://mindprod.com/jgloss/zip.html
    >>>
    >>> --
    >>> Bush crime family lost/embezzled $3 trillion from Pentagon.
    >>> Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
    >>> http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm
    >>>
    >>> Canadian Mind Products, Roedy Green.
    >>> See http://mindprod.com/iraq.html photos of Bush's war crimes

    >>
    >>

    >
    >
    Arn Cota, Jun 28, 2005
    #8
  9. Arn Cota

    Roedy Green Guest

    Roedy Green, Jun 30, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page