Document directory
Jar files can be usedjarsigner
Tool or directly throughjava.security
API signature. A signed JAR file is exactly the same as the original JAR file, but it updates its manifest and adds two files, one signature file and one signature block file to the META-INF directory.
Jar files are stored inKeystoreThe certificate signature in the database. The certificate stored in the keystore is password-protected and must be directedjarsigner
The tool provides this password to sign the JAR file.
Each signatory of the jar is represented by a signature file with the. SF extension in the META-INF directory of the JAR file. The file format is similar to the manifest file-a set of RFC-822 headers. As shown below, its composition includes a main part, which includes information provided by the signatory, but not specifically for any specific JAR file items, and a series of separate items, these items must also be included in the menifest file. When verifying a signed JAR file, compare the digest value of the signature file with the digest value calculated for the corresponding items in the jar file.
Contents of signature file META-INF/MANIFEST.MFManifest-Version: 1.0Created-By: 1.3.0 (Sun Microsystems Inc.)Name: Sample.javaSHA1-Digest: 3+DdYW8INICtyG8ZarHlFxX0W6g=Name: Sample.classSHA1-Digest: YJ5yQHBZBJ3SsTNcHJFqUkfWEmI=Contents of signature file META-INF/JAMES.SFSignature-Version: 1.0SHA1-Digest-Manifest: HBstZOJBuuTJ6QMIdB90T8sjaOM=Created-By: 1.3.0 (Sun Microsystems Inc.)Name: Sample.javaSHA1-Digest: qipMDrkurQcKwnyIlI3Jtrnia8Q=Name: Sample.classSHA1-Digest: pT2DYby8QXPcCzv2NwpLxd8p4G4=
|
A digital signature is the signed version of The. SF signature file. A digital signature file is a binary file and has the same file name as a. SF file, but its extension is different. There are different extensions based on the digital signature type-RSA, DSA, or PGP-and the certificate type used to sign the jar.
To sign a jar file, you must first have a private key. The private key and Its Related Public Key Certificates are stored inkeystores
In a password-protected database. JDK includes tools for creating and modifying keystores. Each key in the keystore can be identified by an alias. It is usually the name of the signatory who owns the key.
All keystore items (key and trusted Certificate items) are accessed with a unique alias. Alias is in usekeytool -genkey
Command to generate the key pair (Public Key and private key) and specify it when adding an entry to the keystore. Afterkeytool
The command must use the same alias to reference this item.
For example, to use the alias "James" to generate a new public/private key pair and wrap the public key into a self-signed certificate, run the following command:
keytool -genkey -alias james -keypass jamespass -validity 80 -keystore jamesKeyStore -storepass jamesKeyStorePass
|
This command sequence specifies an initial password "jamespass". Subsequent commands require this password when accessing the private key associated with the alias "James" in the keystore "jameskeystore. If the keystore "jameskeystore" does not existkeytool
It is automatically created.
jarsigner
The tool uses keystore to generate or verify the digital signature of the JAR file.
Assume that the keystore "jameskeystore" is created as in the preceding example and contains a key named "James". You can use the following command to sign a jar file:
jarsigner -keystore jamesKeyStore -storepass jamesKeyStorePass -keypass jamespass -signedjar SSample.jar Sample.jar james
|
This command uses the password "jameskeystorepass" to extract the key with the alias "James" and the password "jamespass" from the keystore named "jameskeystore" and sample the key. JAR file signature, create a signed JAR -- ssample. jar.
jarsigner
The tool can also verify a signed JAR file, which is much simpler than the signed JAR file. You only need to execute the following command:
jarsigner -verify SSample.jar
|
If the signed JAR file has not been tamperedjarsigner
The tool will tell you that the jar has passed the verification. Otherwise, it will throwSecurityException
Indicates which files have not been verified.
You can also usejava.util.jar
Andjava.security
The API signs the jar program programmatically (for more information, see references ). You can also use tools like Netscape Object Signing tool.
Clear the signed JAR package and re-sign it.
1. Resign. Sh script (strips key, adds key, add index )#! /Bin/sh
# $ ID: Resign. Sh, V 1.3 2002/07/02 13:57:32 mvw exp $
# This script resigns the jars
# (Remove old signature, add new signature)
# Settings for present Foo Server
JDK =/usr/Java/j2sdk1.4.0
Keystore =.../../frontend/WebStart/key/fookeystore
../Files. Sh
For I in $ unsigned_files
Do
Echo "---"
Echo "unpacking $ I .."
TMP = TMP-$ I
Mkdir $ TMP
CD $ TMP
Unzip-Q ../$ I
Chmod-r u + rwx *
Find.-Type F | xargs chmod U-x
Echo & quot; changing META-INF stuff .. & quot .."
CD META-INF
Rm-f *. SF
Rm-f *. DSA
# This will determine the line number of the first blank line in manifest. MF
# (A blank line here is anything that has no letter/number)
Cut = 'egrep-NV '^. * [A-z | A-Z | 0-9] +. * $ 'manifest. mf | sed S/: // | head-1 | tr-d ""'
If [-z "$ cut"];
Then
Echo "no cut detected ";
Else
Echo "cutting manifest. MF at line $ cut .."&&
Head-$ cut manifest. MF> M. MF &&
Rm-F manifest. MF &&
Mv m. MF manifest. MF &&
Cat manifest. MF;
Fi
Echo "repacking $ I .."
CD ..
Rm-f ../$ I
Zip-q9r ../$ I.
CD ..
Rm-RF $ TMP
Echo "signing $ I .."
$ JDK/bin/jarsigner-keystore $ keystore-storepass foopassword $ I fookeyname
Echo "verifying the signatures of $ I .."
$ JDK/bin/jarsigner-verify $ I
Echo indexing $ I ..
$ JDK/bin/jar-I $ I
Done
2. Files. Sh (a list of files to treat)
# $ ID: files. Sh, v 1.1 2002/05/07 16:35:18 mvw exp $
# Files list
# Watch out
#-The double quotes,
#-The trailing space inside the quoted string,
#-The backslash immediatly following the closing quote
Unsigned_files =
"Foo1.jar"
"Foo2.jar"
"Foo3.jar"
Foo-help.jar"
[Code] for the original post, see:
Http://blog.csdn.net/hunterK/archive/2006/09/06/1186742.aspx