R
Roedy Green
How do jar signing and timestamping work? This what I have been able
to find out consolidating from many sources:
jar.exe prepares a digest of each element in the jar and puts in
MANIFEST.MF. jarsigner.exe signs each element with your code signing
certificate (i.e. encrypts each digest with your code-signing private
key) and puts them in XXX.SF. It then prepares a digest of all the
digests (I don’t know if it uses unsigned or signed versions) and
digitally signs that and puts it in XXX.SF. Then it sends that super
digest to the time stamping service. The timestamping service appends
the time and digitally signs it with their private key and immediately
sends you back a certificate. In a way I don’t understand,
jarsigner.exe includes the certificate in the jar.
Jarsigner also puts the public key for the code signing certificate
and the public key for the time stamping service in XXX.DSA along with
the signature for the file as a whole.
to find out consolidating from many sources:
jar.exe prepares a digest of each element in the jar and puts in
MANIFEST.MF. jarsigner.exe signs each element with your code signing
certificate (i.e. encrypts each digest with your code-signing private
key) and puts them in XXX.SF. It then prepares a digest of all the
digests (I don’t know if it uses unsigned or signed versions) and
digitally signs that and puts it in XXX.SF. Then it sends that super
digest to the time stamping service. The timestamping service appends
the time and digitally signs it with their private key and immediately
sends you back a certificate. In a way I don’t understand,
jarsigner.exe includes the certificate in the jar.
Jarsigner also puts the public key for the code signing certificate
and the public key for the time stamping service in XXX.DSA along with
the signature for the file as a whole.