How jar signing and timestamping work?


R

Roedy Green

How do jar signing and timestamping work? This what I have been able
to find out consolidating from many sources:


jar.exe prepares a digest of each element in the jar and puts in
MANIFEST.MF. jarsigner.exe signs each element with your code signing
certificate (i.e. encrypts each digest with your code-signing private
key) and puts them in XXX.SF. It then prepares a digest of all the
digests (I don’t know if it uses unsigned or signed versions) and
digitally signs that and puts it in XXX.SF. Then it sends that super
digest to the time stamping service. The timestamping service appends
the time and digitally signs it with their private key and immediately
sends you back a certificate. In a way I don’t understand,
jarsigner.exe includes the certificate in the jar.

Jarsigner also puts the public key for the code signing certificate
and the public key for the time stamping service in XXX.DSA along with
the signature for the file as a whole.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top