Determine jar signer

A

Arn Cota

Hi,

I am trying to develop some code that takes a directory full of jars, and
determines if the jars are signed, and if so, by whom. Any pointers?

Thanks
 
R

Roedy Green

I am trying to develop some code that takes a directory full of jars, and
determines if the jars are signed, and if so, by whom. Any pointers?

a jar is just a zip file with a manifest file. Use the zip classes to
determine it.

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;

See http://mindprod.com/jgloss/jarfile.html#MANIFEST

for sample code see http://mindprod.com/jgloss/zip.html

--
Bush crime family lost/embezzled $3 trillion from Pentagon.
Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

Canadian Mind Products, Roedy Green.
See http://mindprod.com/iraq.html photos of Bush's war crimes
 
A

Arn Cota

Thanks. I have been pulling the "Implementation-Vendor" entry out of the
manifest and using this as the name of the signer, is this correct? The
mindprod.com link seems to be broken by the way.
 
J

Joel Kamentz

Implementation Vendor is not related to signer.

How much do you care about the accuracy of the answer? For example, if
you're making trust decisions in something like the Java Plug-in, you have
to be completely correct about this kind of stuff. But, for simple
utilities which answer is this jar already signed? by whom? It might not be
necessary to do so much work.

Unfortunately, there are no ready-made routines in the Java API to do what
you want. Since you talk about writing code, I'm assuming you want Java
code, rather than a shell script which calls jarsigner -verify on each jar
in the directory.

The proper way to determine whether a jar is signed seems to be the
following:

Create a jar file with verification turned on (which is the default). For
each file entry NOT under /META-INF/, fully read the entry bytes (get the
input stream and read until it's empty). Note that while META-INF is
supposed to be upper case, the guidelines suggest that tools should be able
to handle it case insensitively. Only after the entry is fully read can you
truly get the certificates / signer information for it.

If you're using Java 1.5+, you can call getCodeSigners() on the jar entry.
If you're using Java <1.5, things are a whole lot more work.

Look for a CodeSigner (or at least a CertPath used within the CodeSigner)
which is common to all of the non-meta-inf entries. (Individual entries in
a jar are signed, it just usually happens that the entire content of a jar
is signed. However, someone could sign a jar, then add some more entries
and then sign it again with a different signature. All of the entries would
be signed by signature 2 but only some of them would be signed by signature
1. For trust decisions like whether to copy a downloaded jar into a trusted
location, you MUST be certain that ALL of the content in a jar is
trustworthy first!)

Signatures don't really mean anything unless they can be verified to be
issued by a trusted certificate authority. For making trust decisions you
should also verify that the CertPath is consistent, currently valid and has
a trusted root. Etc. Etc.



If all you want is a quick and dirty utility to dump out info for the 99%
case, use jarsigner -verify or open the jar and start going through
non-meta-inf entries which are files. Read the entry data fully. get the
signers. If there are any, dump the info and stop -- most of the time, if a
jar is signed, the entire jar is signed and by only one signer.


Joel
 
A

Arn Cota

I am using the information to group files together for jnlp/webstart setup.
I am not sure how restrictive that is.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top