[ACCEPTED]-How to verify a jar signed with jarsigner programmatically-jarsigner

Accepted answer
Score: 17

You can simply open the JAR with java.util.jar.JarFile 8 and tell it to verify the JAR file. If the 7 JAR is signed, then JarFile has the option 6 to verify it (which is on by default). However, JarFile 5 will also open unsigned JARs happily, therefore 4 you must also check, whether or not the 3 file is signed. You can do so by checking 2 the JAR's manifest for *-Digest attributes: Elements 1 with such an attribute attribute are signed.


JarFile jar = new JarFile(new File("path/to/your/jar-file"));

// This call will throw a java.lang.SecurityException if someone has tampered
// with the signature of _any_ element of the JAR file.
// Alas, it will proceed without a problem if the JAR file is not signed at all
InputStream is = jar.getInputStream(jar.getEntry("META-INF/MANIFEST.MF"));
Manifest man = new Manifest(is);

Set<String> signed = new HashSet();
for(Map.Entry<String, Attributes> entry: man.getEntries().entrySet()) {
    for(Object attrkey: entry.getValue().keySet()) {
        if (attrkey instanceof Attributes.Name && 
           ((Attributes.Name)attrkey).toString().indexOf("-Digest") != -1)

Set<String> entries = new HashSet<String>();
for(Enumeration<JarEntry> entry = jar.entries(); entry.hasMoreElements(); ) {
    JarEntry je = entry.nextElement();
    if (!je.isDirectory())

// contains all entries in the Manifest that are not signed.
// Ususally, this contains:
//  * MANIFEST.MF itself
//  * *.SF files containing the signature of MANIFEST.MF
//  * *.DSA files containing public keys of the signer

Set<String> unsigned = new HashSet<String>(entries);

// contains all the entries with a signature that are not present in the JAR
Set<String> missing = new HashSet<String>(signed);
Score: 16

The security Provider implementation guide outlines the process of verifying JARs. Although 4 these instructions are for a JCA cryptographic 3 service provider to verify itself, they 2 should be applicable to your problem.

Specifically, check 1 out the verify(X509Certificate targetCert) method in the sample code, "MyJCE.java".

Score: 3

You can use entry.getCodeSigners() to get 6 the signers for a particular entry in the 5 JAR.

Make sure to open the JarFile with verify=true 4 and to fully read the JAR entry before calling 3 entry.getCodeSigners().

Something like this 2 could be used to verify each entry that 1 is not a signature file:

boolean verify = true;
JarFile jar = new JarFile(signedFile, verify);

// Need each entry so that future calls to entry.getCodeSigners will return anything
Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
   JarEntry entry = entries.nextElement();
   IOUtils.copy(jar.getInputStream(entry), new NullOutputStream());

// Now check each entry that is not a signature file
entries = jar.entries();
while (entries.hasMoreElements()) {
    JarEntry entry = entries.nextElement();
    String fileName = entry.getName().toUpperCase(Locale.ENGLISH);
    if (!fileName.endsWith(".SF")
       && !fileName.endsWith(".DSA")
       && !fileName.endsWith(".EC")
       && !fileName.endsWith(".RSA")) {

       // Now get code signers, inspect certificates etc here...
       // entry.getCodeSigners();

More Related questions