Jar files can be signed using the jarsigner tool or using Java. securityapi directly. The signed JAR file is exactly the same as the original JAR file, but it updates its manifest file and adds two files to the META-INF directory, A signature file and a signature block file. If you are not familiar with digital signatures, read 《
Introduction to digital signaturesJava digital signature and digital certificate JAR file can be signed using a certificate stored in the keystore database. The certificate stored in the keystore is password-protected. You must provide this password to the jarsigner tool to sign the JAR file. Figure 1. keystore Database
After the JAR file is signed with jarsigner, there will be two more files in the META-INF Folder: XXX. SF file and XXX. YYY file. Xxx should be the same as the key alias when you sign the key. The extension of XXX. YYY is based on the digital signature type RSA, DSA
Or PGP and the certificate type used to sign jar have different extensions. The format of the XXX. SF file is similar to the manifest file, a set of RFC-822 headers ). The xxx. SF file mainly includes the signature code for the JAR file and the manifest file (the encrypted hash code ). The strange thing is that the manifest file after signing also has a signature code for the JAR file itself, which is different from the XXX. SF file. Why are there two? Puzzled. In the XXX. YYY file (such as test. RSA), in addition to the public key corresponding to the signature private key, it also contains information about the signatory. When verifying a signed JAR file, compare the digest value of the signature file with the digest value calculated for the corresponding items in the jar file. Manifest. MF file: manifest-version: 1.0created-by: 1.6.0 _ 11 (Sun Microsystems Inc.) Main-class: Hello
Name: util. classSHA1-Digest: uqkspoch + heh4w8d4/e7ifo7y2a =
Name: Hello. classSHA1-Digest: hqjfmvxm5jhrx2afxitiicvzddq = test. SF file signature-version: 1.0sha1-digest-manifest-Main-attributes: + yrcddwvi7qfdviahkrnkihg2zc = created-by: 1.6.0 _ 11 (Sun Microsystems Inc .) SHA1-Digest-Manifest: dcxoouzpsgxrxxyh5prnx47er7m =
Name: util. classSHA1-Digest: 5g4n0t4scmdowif10vd7pmtcm1g =
Name: Hello. classSHA1-Digest: ovgpi1scz7py8o0rjquuszt6h/q = keystore to sign a jar file, you must first have a private key. The private key and Its Related Public Key Certificates are stored in a password-protected database named keystores. JDK includes tools for creating and modifying keystores. Each key in the keystore can be identified by an alias. It is usually the name of the signatory who owns the key. All keystore items (key and trusted Certificate items) are accessed with a unique alias. The alias is specified when the keytool-genkey command is used to generate a key pair (Public Key and private key) and add an item in the keystore. The later keytool command must use the same alias to reference this item. For example, to generate a new public/private key pair named "Robin" and wrap the public key into a self-signed certificate, run the following command: example 1 keytool-genkey-alias Robin-keystore Robin. keystore-storepass gl2009-keypass gl2009-validity 100-keyalg RSA-keysize 1024-sigalgmd5withrsa command sequence is used to generate a public/private key pair named "Robin, and add it to the file named "Robin. in the keystore file of the keystore, if the file does not exist, create it. The file name and password are gl2009, the private key and password of the public/private key pair to be added are gl2009, the file is valid for 100 days, and the public/private key pair name is Robin, the public/private key pair uses the RSA algorithm. The length of the public/private key is 1024. The md5withrsa algorithm is used for signing (MD5 algorithm is used for hashing, use the RSA algorithm to encrypt the hash code.) enter the following information as prompted: What is your first and last name? [UNKNOWN]: hubingwhat is the name of your organizational unit? [UNKNOWN]: glwhat is the name of your organization? [UNKNOWN]: gameloftwhat is the name of your city or locality? [UNKNOWN]: chengduwhat is the name of your state or province? [UNKNOWN]: shichuanwhat is the two-letter country code for this unit? [UNKNOWN]: CNIS Cn = hubing, ou = gl, O = gameloft, L = Chengdu, St = ShiChuan, c = cn correct? [No]: The yesjarsigner tool can use the jarsigner tool to generate or verify the digital signature of the JAR file using keystore. Assume that the keystore file Robin. keystore is created as in Example 1. You can use the following command to sign
JAR file: Example 2 jarsigner-keystore Robin. keystore-storepass gl2009-keypass gl2009 hello. jar ROBIN: Use the password "gl2009" from "Robin. in the keystore file, the Public Key/private key pair named "Robin" and the password "gl2009" is proposed, and. jar
The file is digitally signed according to the conventions in the keystore file Robin. keystore. Example 3 jarsigner-keystore Robin. keystore-storepass gl2009-keypass gl2009-signedjar hello_signed.jar hello. Jar
Round Robin uses the password "gl2009" from "Round Robin. in the keystore file, the Public Key/private key pair named "Robin" and the password "gl2009" is proposed, and. jar
The file is digitally signed according to the conventions in the keystore file Robin. keystore. The output file of the signature is hello_signed.jar. The jarsigner tool can also verify a signed JAR file, which is very simple. You only need to execute the following command: jarsigner-verify hello. jar if the signed JAR file has not been tampered with, the jarsigner tool will tell you that the JAR file has passed verification. Otherwise, it will throw a securityexception, indicating which files have not passed verification. You can also use Java. util. jar and Java. securityapi
Sign the JAR file programmatically