How can I verifiy signed JARs with pure Java?
-
21-08-2019 - |
Question
I don't want to use the jarsigner -verify
. Is there no JAR util package for my problem?
I just want to verfiy a JAR in pure Java.
Solution
The "jarsigner" is just a small wrapper for a java program that verifies the jar. Inside your JDK there is a "tools.jar" (usally "C:\programs\Java\jdk1.6.0_13\lib\tools.jar" or something like this). Inside this library there is a class "JarSigner" that provides the desired ability. Just put the "tools.jar" on your classpath!
Heres an example program to demonstrate the behaviour
import sun.security.tools.JarSigner;
public class TestJarSigner {
public static void main(String[] args) {
JarSigner signer = new JarSigner();
signer.run(new String[] { "-verify", "tools.jar" });
}
}
Output is:
jar is unsigned. (signatures missing or not parsable)
The sources are availible if you need a deeper understanding of the signing process.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow