When you sign a JAR using
, additional information is placed in
the JAR. This happens behind the scenes, but it may be helpful to
know exactly what’s going on.
Signature information is placed into files in the
META-INF directory of the JAR, the same
directory that contains the manifest file. Each person who signs the
file is represented by a signature file, with an extension of
.SF. The signature file looks a lot like the
manifest file. It has a version section (
Signature-Version: 1.0) and sections for each file in the JAR.
The name of this file is determined from the directive file used when
the signature is created. When we used
sign a JAR, earlier in this chapter, the directive file contained
This would generate the signature file in the JAR as META-INF/MARISIGN.SF. Basically, this file just contains message digests for the contents of the JAR. A signed version of this signature file represents the actual JAR signature. The signed version has the same filename but a different extension, determined by the signing algorithm used. Marian used the DSA algorithm to sign the JAR, so the signed file is META-INF/MARISIGN.DSA.
We can verify this by examining the contents of the JAR:
jar -tvf signedArchive.jar META-INF288 Fri May 30 09:09:00 EDT 1997 META-INF/MANIFEST.MF 289 Wed Jun 04 15:10:54 EDT 1997 META-INF\MARISIGN.SF 1289 Wed Jun 04 15:10:54 EDT 1997 META-INF\MARISIGN.DSA