Verifying signed jar files from C

[Paul J. Lucas]

I have a double-clickable application (for both Windows and Mac OS X) written
in Java (stored in jar files) that uses a native launcher written in C to
start a JVM and run a particular class's main() contained in one of the jar
files.

I want to sign the jar files at build-time and later verify them at run-time
to ensure they haven't been altered. I want to do the verification as part
of the launcher written in C because somebody could still modify the jar
files and either leave them unsigned or resign them with his own self-signed
certificate.

I've done a lot of Google searches and I haven't been able to find any
information on doing what I want. (I only find stuff on signing applets and
verifying jar files with the jarsigner command-line tool.)

Can I do what I want and, if so, how?

- Paul

 

[Andrew Thompson]

I have a double-clickable application (for both Windows and Mac OS X) written
in Java (stored in jar files) ....
I want to sign the jar files at build-time and later verify them at run-time
to ensure they haven't been altered. ....
Can I do what I want and, if so, how?

Use web-start. It will give the user desktop icons for
win & mac (and unix/linux, if required), and will handle
the verification for you.

While there may be ways to launch a web-started
application from 'the class files' - I have never seen
it done, and it would be at the mercy of changes in
web-start itself (the tech. people specifically warn
against relying on a given cache location, and any
attempt to launch it would probably need to look
to the classes in the cache).

Just how technically proficient do you expect your
end users to be? (I reckon by the time they could
hack a solution together under web-start, they might
just as easily have hunted down the parts of the C
code that invoke the signature check).

Andrew T.