Implementation Vendor is not related to signer.
How much do you care about the accuracy of the answer? For example, if
you're making trust decisions in something like the Java Plug-in, you have
to be completely correct about this kind of stuff. But, for simple
utilities which answer is this jar already signed? by whom? It might not be
necessary to do so much work.
Unfortunately, there are no ready-made routines in the Java API to do what
you want. Since you talk about writing code, I'm assuming you want Java
code, rather than a shell script which calls jarsigner -verify on each jar
in the directory.
The proper way to determine whether a jar is signed seems to be the
following:
Create a jar file with verification turned on (which is the default). For
each file entry NOT under /META-INF/, fully read the entry bytes (get the
input stream and read until it's empty). Note that while META-INF is
supposed to be upper case, the guidelines suggest that tools should be able
to handle it case insensitively. Only after the entry is fully read can you
truly get the certificates / signer information for it.
If you're using Java 1.5+, you can call getCodeSigners() on the jar entry.
If you're using Java <1.5, things are a whole lot more work.
Look for a CodeSigner (or at least a CertPath used within the CodeSigner)
which is common to all of the non-meta-inf entries. (Individual entries in
a jar are signed, it just usually happens that the entire content of a jar
is signed. However, someone could sign a jar, then add some more entries
and then sign it again with a different signature. All of the entries would
be signed by signature 2 but only some of them would be signed by signature
1. For trust decisions like whether to copy a downloaded jar into a trusted
location, you MUST be certain that ALL of the content in a jar is
trustworthy first!)
Signatures don't really mean anything unless they can be verified to be
issued by a trusted certificate authority. For making trust decisions you
should also verify that the CertPath is consistent, currently valid and has
a trusted root. Etc. Etc.
If all you want is a quick and dirty utility to dump out info for the 99%
case, use jarsigner -verify or open the jar and start going through
non-meta-inf entries which are files. Read the entry data fully. get the
signers. If there are any, dump the info and stop -- most of the time, if a
jar is signed, the entire jar is signed and by only one signer.
Joel