jar signing

Discussion in 'Java' started by srinivas.veeranki@gmail.com, Dec 18, 2007.

  1. Guest

    Hi All,

    I made the jar signer using the following commands in the build.xml
    <!-- For Signed Jars -->
    <property name="alias" value="pluginsigner"/>
    <property name="storepass" value="gis123"/>

    And

    <target name="sign" description="To sign the jars..." depends = "jar">
    <signjar jar="${basedir}\DcvBuild\dcvclient.jar" alias="${alias}"
    storepass="${storepass}"/>
    </target>

    It generates the signed jar successfully. But its not giving any
    security to it. By using the decompiler I generated the jad file and
    modified and saved that file as .java and recompiled generated source
    file. I replaced the old .class file with new .class file. and made
    the jar file. I replaced the old jar(signed) with new jar file. I am
    to run my application with new jar file.

    Is it possible to restrict the modification in the signed jar file.
    and also my requirement is not to allow the application to run with
    new jar. Is it possible.

    Can you please suggest me. Thanks in advance...

    Regards,

    Srinivas.
    , Dec 18, 2007
    #1
    1. Advertising

  2. wrote:
    ...
    >It generates the signed jar successfully. But its not giving any
    >security to it. ...


    1) Signing a jar does not inherently 'give security' to it.
    A signed applet will prompt the user to allow full permissions,
    but they can always refuse. A signed web start app. will
    only get extra permissions if it requests them by specifying
    j2ee-application-client-permissions or all-permissions
    in the JNLP file (and the user agrees). A regular app.
    does not have a security manager, and code signing
    will not be checked.
    2) So, are you running this as a standard application?
    If that is the case, you might get the effect you want by
    launching it using web start, which I presume would notice
    the changed code, the invalid signature, and reject it.

    BTW - did you run the code signing tools 'information mode'
    on the second jar, to ask if it was correctly signed?

    --
    Andrew Thompson
    http://www.physci.org/

    Message posted via http://www.javakb.com
    Andrew Thompson, Dec 18, 2007
    #2
    1. Advertising

  3. Andrew Thompson wrote:
    >...
    >>It generates the signed jar successfully. But its not giving any
    >>security to it. ...

    ...
    >BTW - did you run the code signing tools 'information mode'
    >on the second jar, to ask if it was correctly signed?


    Ahh yes, there it is.
    jarsigner -verify [ options ] jar-file
    <http://java.sun.com/javase/6/docs/technotes/tools/windows/jarsigner.html#Options
    >


    --
    Andrew Thompson
    http://www.physci.org/

    Message posted via JavaKB.com
    http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1
    Andrew Thompson, Dec 19, 2007
    #3
  4. Guest

    On Dec 18, 5:23 pm, "Andrew Thompson" <u32984@uwe> wrote:
    > wrote:
    >
    > ..
    >
    > >It generates the signed jar successfully. But its not giving any
    > >security to it. ...

    >
    > 1) Signing a jar does not inherently 'give security' to it.
    > A signed applet will prompt the user to allow full permissions,
    > but they can always refuse. A signed web start app. will
    > only get extra permissions if it requests them by specifying
    > j2ee-application-client-permissions or all-permissions
    > in the JNLP file (and the user agrees). A regular app.
    > does not have a security manager, and code signing
    > will not be checked.
    > 2) So, are you running this as a standard application?
    > If that is the case, you might get the effect you want by
    > launching it using web start, which I presume would notice
    > the changed code, the invalid signature, and reject it.
    >
    > BTW - did you run the code signing tools 'information mode'
    > on the second jar, to ask if it was correctly signed?
    >
    > --
    > Andrew Thompsonhttp://www.physci.org/
    >
    > Message posted viahttp://www.javakb.com


    Hi,

    I am running my application as a standalone app. How can i restrict
    this using web start.

    Can u plz suggest me?

    What about the jobfuscate? Is it works for this. I tried with this but
    but its not generating output jar. I am unable to process any files
    using jobfuscate eventhought I set classpath.

    Regards,
    Srinivas.
    , Dec 19, 2007
    #4
  5. Roedy Green Guest

    Here is the ANT I use for a simple Jar build and sign.

    <target name="jar" depends="compile">
    <genjar jarfile="${jar.file}">
    <!-- include main class and all its dependencies -->
    <class name="${main.class}" />
    <!-- define the manifest -->
    <manifest>
    <attribute name="Main-Class" value="${main.class}" />
    </manifest>
    </genjar>

    <!-- S I G N -->
    <!-- get _your_ password from set jarsignerpassword=sesame -->
    <!-- get _your_ code-signing certificate from set
    cert=mindprodcert2007aprdsa -->
    <property environment="env" />
    <signjar jar="${jar.file}"
    alias="${env.cert}" storepass="${env.jarsignerpassword}" />
    </target>

    --
    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
    Roedy Green, Dec 19, 2007
    #5
  6. Roedy Green Guest

    Roedy Green, Dec 19, 2007
    #6
  7. wrote:
    >> wrote:

    ...
    >I am running my application as a standalone app. How can i restrict
    >this using web start.


    After posting that comment, I realised that would be pointless.
    If someone 'wraps up' an application in webstart, it is trivial to
    'unwrap it' and use it as a plain application again.

    >Can u plz suggest me?


    Can you please spell words properly? This is not some
    SMS/text message where we need to restrict the message
    to just '90 characters'.

    >What about the jobfuscate? ..


    I have never used obfuscators. From what I hear, they
    are good for compressing bytecodes, and they make
    an app. a little harder to reverse engineer, but not
    impossible.

    What does this application do? Can the critical parts of
    the application be moved to a server?

    --
    Andrew Thompson
    http://www.physci.org/

    Message posted via JavaKB.com
    http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1
    Andrew Thompson, Dec 19, 2007
    #7
  8. Roedy Green Guest

    On Tue, 18 Dec 2007 02:15:58 -0800 (PST),
    wrote, quoted or indirectly quoted someone who said :

    >Is it possible to restrict the modification in the signed jar file.
    >and also my requirement is not to allow the application to run with
    >new jar.


    What do you mean by that.? Signing means nobody else can modify your
    jar without losing your signature. What else do you need?
    --
    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
    Roedy Green, Dec 20, 2007
    #8
  9. Guest

    On Dec 20, 1:41 pm, Roedy Green <>
    wrote:
    > On Tue, 18 Dec 2007 02:15:58 -0800 (PST),
    > wrote, quoted or indirectly quoted someone who said :
    >
    > >Is it possible to restrict the modification in the signed jar file.
    > >and also my requirement is not to allow the application to run with
    > >new jar.

    >
    > What do you mean by that.?  Signing means nobody else can modify your
    > jar without losing your signature. What else do you need?
    > --
    > Roedy Green Canadian Mind Products
    > The Java Glossaryhttp://mindprod.com


    Hi,

    My actual requirement is to restrict the decompiler process. I
    signed the jar, but Im able to decompile the .class file and and I can
    generate the .java file. I wanna restrict this process. If I use the
    Jobfuscate I ll achieve my requirement. But Im unable to generate the
    jar file even I set the classpath before executing the jobfoscate
    command.

    I generated the jar file using the build.xml. can i apply jobfuscate
    command to that generated jar file which contains the main method
    class. This is the client side jar only.

    Is it possible to include jobfoscate command in the build.xml.

    Thanks in advance..

    Srinivas.
    , Dec 28, 2007
    #9
  10. EJP Guest

    Roedy Green wrote:
    > Signing means nobody else can modify your
    > jar without losing your signature.


    That's not quite right. Your original signature will remain, but it will
    no longer correspond with the signature generated at verification time
    for any changed files. So the verification step will fail.
    EJP, Dec 30, 2007
    #10
  11. Roedy Green Guest

    Roedy Green, Dec 30, 2007
    #11
  12. Roedy Green Guest

    On Fri, 28 Dec 2007 04:37:26 -0800 (PST),
    wrote, quoted or indirectly quoted someone who said :

    > jobfoscate
    >command.


    I had never heard of jobfuscate before. I googled it.

    http://www.duckware.com/jobfuscate/index.html

    it is an obfuscator than seems to work on class files rather than
    complete jars as is traditional. It renames class files.

    I would just build the jar as before just using the renamed file.

    see http://mindprod.com/jgloss/ant.html
    http://mindprod.com/jgloss/jarexe.html
    http://mindprod.com/jgloss/jarsigner.html
    --
    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
    Roedy Green, Dec 30, 2007
    #12
  13. Roedy Green Guest

    On Sun, 30 Dec 2007 06:00:30 GMT, EJP
    <> wrote, quoted or indirectly quoted
    someone who said :

    >> Signing means nobody else can modify your
    >> jar without losing your signature.

    >
    >That's not quite right. Your original signature will remain, but it will
    >no longer correspond with the signature generated at verification time
    >for any changed files. So the verification step will fail.


    In other words the jar will no longer be signed.

    Using an analogy, digitally signing is like sealing with sealing wax
    and your signet ring. If somebody tampers, the wax seal will be
    broken.

    The term "sealing" is often used in computing still to mean some way
    of freezing a collection from changes.
    --
    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
    Roedy Green, Dec 30, 2007
    #13
  14. Roedy Green Guest

    On Sun, 30 Dec 2007 07:35:30 GMT, Roedy Green
    <> wrote, quoted or indirectly quoted
    someone who said :

    >
    >The term "sealing" is often used in computing still to mean some way
    >of freezing a collection from changes.


    see http://mindprod.com/jgloss/seal.html
    --
    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
    Roedy Green, Dec 30, 2007
    #14
  15. EJP Guest

    Roedy Green wrote:
    > In other words the jar will no longer be signed.


    No, in other words the signature will no longer be *valid*.
    EJP, Dec 30, 2007
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter

    signing jar many times?

    Peter, Mar 4, 2004, in forum: Java
    Replies:
    1
    Views:
    465
    Thomas Schodt
    Mar 4, 2004
  2. Arnold Peters
    Replies:
    0
    Views:
    555
    Arnold Peters
    Jan 5, 2005
  3. muttley
    Replies:
    0
    Views:
    2,699
    muttley
    Oct 20, 2005
  4. cyberco
    Replies:
    4
    Views:
    3,730
    Roedy Green
    Feb 14, 2006
  5. Arnold Peters
    Replies:
    0
    Views:
    641
    Arnold Peters
    Jan 5, 2005
Loading...

Share This Page