Digital Signatures of JAR Files

Q

What are digital signatures of JAR files? And where are they stored in the JAR file?

✍: FYIcenter.com

A

Digital signatures are encrypted digests of entries archieved in the JAR file. Digital signature information is stored in multiple files under the META-INF path name:

  • META-INF/MANIFEST.MF - Contains digests of JAR entries.
  • META-INF/*.SF - Signature file with digests of JAR entries. Generated by a specific signar.
  • META-INF/*.DSA - Signature file encrypted with the DSA (PKCS7 signature, DSA) algorithm. Generated by a specific signar.
  • META-INF/*.RSA - Signature file encrypted with the RSA (PKCS7 signature, SHA-256 + RSA) algorithm. Generated by a specific signar.
  • META-INF/SIG-* - Signature file encrypted with other algorithm. Generated by a specific signar.

Here is a sample of a *.SF file, SUN_MICR.SF:

Signature-Version: 1.0
SHA1-Digest-Manifest: WJfLq1ILjj2Pn43Eo0FBNVFuG9U=
Created-By: 1.3.1_04 (Sun Microsystems Inc.)

Name: javax/activation/MimeTypeParseException.class
SHA1-Digest: UAKWG9VD0+5i0GHxkNysu84wuGQ=

Name: javax/activation/CommandInfo.class
SHA1-Digest: VDih63m/ZVUpovKCWSyMwn4nGV4=

...

The "jarsigner" tool in the JDK can be used to sign file files.

Back to FAQ on JAR (Java ARchive) File Format.

2016-04-15, 869👍, 0💬