How can I verifiy signed JARs with pure Java?

Question

I don't want to use the jarsigner -verify. Is there no JAR util package for my problem? I just want to verfiy a JAR in pure Java.

Answer 1

The "jarsigner" is just a small wrapper for a java program that verifies the jar. Inside your JDK there is a "tools.jar" (usally "C:\programs\Java\jdk1.6.0_13\lib\tools.jar" or something like this). Inside this library there is a class "JarSigner" that provides the desired ability. Just put the "tools.jar" on your classpath!

Heres an example program to demonstrate the behaviour

import sun.security.tools.JarSigner;

public class TestJarSigner {

 public static void main(String[] args) {
  JarSigner signer = new JarSigner();
  signer.run(new String[] { "-verify", "tools.jar" });
 }

}

Output is:

jar is unsigned. (signatures missing or not parsable)

The sources are availible if you need a deeper understanding of the signing process.