Signing and Verifying JAR Files |
Typically, verification of signed JAR files will be the responsibility of your JavaTM runtime environment. Assuming it uses a 1.1 or later runtime environment, your browser will verify signed applets that it downloads. And in version 1.2 of the Java platform, signed applications invoked with the -jar option of the interpreter will be verified by the runtime environment.However, you can verify signed JAR files yourself by using the JDK 1.2 Jarsigner tool. You might want to do this, for example, to test a signed JAR file that you've prepared. The Jarsigner tool can verify files that were signed either with Jarsigner itself or with the JDK 1.1 Javakey tool.
Note: Version 1.1 of the Java Development Kit does not provide a utility for verifying signed JAR files.
The basic command to use for verifying a signed JAR file is:
jarsigner -verify jar-fileThis command will verify the JAR file's signature and ensure that the files in the archive haven't changed since it was signed. You'll see the message
if the verification is successful. If you try to verify an unsigned JAR file, the following message results:jar verified.jar is unsigned. (signatures missing or not parsable)If the verification fails, an appropriate message is displayed. For example, if the contents of a JAR file have changed since the JAR file was signed, a message similar to the following will result if you try to verify the file:
jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for test/classes/Manifest.class
Signing and Verifying JAR Files |