October 26, 2017

What is a signed jar file?

First a jar file is a zip file. When signing a jar file, a signature is created for each class in the jar file and added to the jar file in the below files.

META-INF/MANIFEST.MF
META-INF/your-name.SF

Then is a signature for the entire file also added and is placed at the beginning of the .SF file.

The signature certificate and it's ca certificate is also added to the jar and is placed in

META-INF/your-name.RSA

To read the signature use openssl.

openssl pkcs7 -in YOURNAME.RSA -inform DER -text -print_certs -noout

And to test your signed jar and get information about used signature.

jarsigner -verify -verbose your-jar.jar