How to verify a jar signed with jarsigner programmatically

Question

I\'m wanting to sign a jar using jarsigner, then verify it using a Java application which does not have the signed jar as part of it\'s classpath (i.e. just using a filesyst

Answer 1

You can use the jarsigner application to do this. In processbuilder (or Runtime.exec) you can run the command with these arguments

 ProcessBulider pb = new ProcessBuilder("/usr/bin/jarsigner", "-verify", "-certs", f.getAbsolutePath());

and if the output contians verified then the jar is signed

Process p = pb.start();
p.waitFor();
InputStream is = p.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);
String line;
while ((line = br.readLine()) != null)
{
if(line.contains("verified");
...

THere are more complicated things you can do when you have the output of the jarsigner code.