Signing

When you sign a JAR using javakey or jarsigner , additional information is placed in the JAR. This happens behind the scenes, but it may be helpful to know exactly what’s going on.

Signature information is placed into files in the META-INF directory of the JAR, the same directory that contains the manifest file. Each person who signs the file is represented by a signature file, with an extension of .SF. The signature file looks a lot like the manifest file. It has a version section (Signature-Version: 1.0) and sections for each file in the JAR.

The name of this file is determined from the directive file used when the signature is created. When we used javakey to sign a JAR, earlier in this chapter, the directive file contained this line:

signature.file=MARISIGN

This would generate the signature file in the JAR as META-INF/MARISIGN.SF. Basically, this file just contains message digests for the contents of the JAR. A signed version of this signature file represents the actual JAR signature. The signed version has the same filename but a different extension, determined by the signing algorithm used. Marian used the DSA algorithm to sign the JAR, so the signed file is META-INF/MARISIGN.DSA.

We can verify this by examining the contents of the JAR:

C:\ jar -tvf signedArchive.jar META-INF
   288 Fri May 30 09:09:00 EDT 1997 META-INF/MANIFEST.MF
   289 Wed Jun 04 15:10:54 EDT 1997 META-INF\MARISIGN.SF
  1289 Wed Jun 04 15:10:54 EDT 1997 META-INF\MARISIGN.DSA
            

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.