How to verify a jar signed with jarsigner programmatically

Question

I\'m wanting to sign a jar using jarsigner, then verify it using a Java application which does not have the signed jar as part of it\'s classpath (i.e. just using a filesyst

Answer 1

You can use entry.getCodeSigners() to get the signers for a particular entry in the JAR.

Make sure to open the JarFile with verify=true and to fully read the JAR entry before calling entry.getCodeSigners().

Something like this could be used to verify each entry that is not a signature file:

boolean verify = true;
JarFile jar = new JarFile(signedFile, verify);

// Need each entry so that future calls to entry.getCodeSigners will return anything
Enumeration entries = jar.entries();
while (entries.hasMoreElements()) {
   JarEntry entry = entries.nextElement();
   IOUtils.copy(jar.getInputStream(entry), new NullOutputStream());
}

// Now check each entry that is not a signature file
entries = jar.entries();
while (entries.hasMoreElements()) {
    JarEntry entry = entries.nextElement();
    String fileName = entry.getName().toUpperCase(Locale.ENGLISH);
    if (!fileName.endsWith(".SF")
       && !fileName.endsWith(".DSA")
       && !fileName.endsWith(".EC")
       && !fileName.endsWith(".RSA")) {

       // Now get code signers, inspect certificates etc here...
       // entry.getCodeSigners();
    }
 }