jar-signing

I want to use verify an APK from Java code using JarSigner. I am writing an app that programatically installs APKs (much like Google Play) and before installing it checks for the following: Verify the signature of the .SF file itself.Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest. Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest. Read each file in the JAR file that has an entry in the .SF file. While reading, compute the file's digest, and then compare the result with the digest for

I'd like to build an assembly and then sign it. My problem is that the jarsigner signs not the assembly, only the standalone jar file. Could you tell me what is the problem? Maven seems like 'magic' to me after having used Ant for years.. I can't see the way the plugins cooperate and pass information to each other. After executing mvn install , I get two jar files, one called example-1.0.0-SNAPSHOT.jar and this is signed, and one called example-1.0.0-jar-with-dependencies.jar and this is not signed. I do not need the solo one, only the assembly, but that signed. Here is my pom.xml: <build>

I am trying to re-sign some jars using the ant task 'signjar' however it's telling me "The signer certificate has expired." So I tried to re-generate the keystore hoping this would 'un-expire' it... keytool -genkey -keystore mykeystore -alias myalias but after entering the keystore password i get: "keytool error: java.lang.Exception: Key pair not generated, alias already exists" what am i doing wrong? do i need to delete the keystore to re-generate it or is there a simple way to refresh it so it's not expired? thanks. maaartinus You're mixing up the terms. A keystore contains keys, a key is

I used jarsigner to sign my jar file. But I got a warning: Warning: This jar contains entries whose signer certificate will expire within six months. How can I make it never expire or expire in a longer time? Specify the required number of days in the -validity parameter to keytool . Addendum: -validity is an option to keytool . keytool -genkey -alias sawyer -validity 1234 -dname "…" After you create the new key, use its unique alias with jarsigner to sign your JAR. 来源： https://stackoverflow.com/questions/6171554/how-to-sign-a-jar-to-never-expire

I have submitted and published an app in the Google Play store. I did not receive any errors when I uploaded my binary. Now, I am receiving reports from some (not all) customers stating that they are getting the following error when installing our App: "Package file was not signed correctly" When I try to replicate this error myself (using a Nexus 7 reset to factory settings), however, everything goes smoothly. This seems to be similar to the issue described in this question, but the accepted answer doesn't seem to apply in this case. I have seen suggestions to use JDK 6 instead of JDK 7, but

Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens). Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken. According to the GlobalSign site, I should sign my jars as following: jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass

To run maven-shade-plugin, I have to use to method described here due to signed dependencies, as shown here: <plugin> <artifactId>maven-shade-plugin</artifactId> <executions> <execution> <phase>package</phase> <goals><goal>shade</goal></goals> <configuration> <filters> <filter> <!-- filter out signature files from signed dependencies, else repackaging fails with security ex --> <artifact>*:*</artifact> <excludes> <exclude>META-INF/*.SF</exclude> <exclude>META-INF/*.DSA</exclude> <exclude>META-INF/*.RSA</exclude> </excludes> </filter> </filters> </configuration> </execution> </executions> <

As my JDK version upgraded to u45 now I get warnings about missing security information. So I used following security updates as part of webstart signing using webstart-maven-plugin <plugin> <groupId> org.codehaus.mojo</groupId> <artifactId>webstart-maven-plugin</artifactId> <version>1.0-beta-4</version> <executions> <execution> <phase>package</phase> <goals> <goal>jnlp-inline</goal> <!-- use jnlp, jnlp-inline or jnlp-single as appropriate --> </goals> </execution> </executions> <configuration> <!--outputDirectory></outputDirectory --> <!-- not required?? --> <!-- Set to true to exclude all