3

I am working with Jarsigner. I want to check whether the given jar is signed or not. If user uploads a jar file, I want to find whether the jarfile is signed or not. I tried with the below code, (http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck)

    // Ensure the jar file is signed.
    Manifest man = jarFile.getManifest();
    if (man == null) {
        throw new SecurityException("The provider is not signed");
    }

But even if I provide a jar which is not signed, man object is not null and this exception is not thrown. How can I check whether the given jar is just signed or not ?

halfer
  • 19,824
  • 17
  • 99
  • 186
Lolly
  • 34,250
  • 42
  • 115
  • 150
  • 1
    Signed jars usually have a .sf file and a .dsa file in the META-INF/ directory as well. – WPrecht Mar 25 '13 at 13:43
  • 1
    [JarVerifier](https://svn.cs.cf.ac.uk/projects/whip/trunk/whip-core/src/main/java/org/whipplugin/data/bundle/JarVerifier.java) is a class that verifies the signature on a JAR-file. You need to check several more things beyond the presence of a manifest file. Take a look at the class for a reference. – Henrik Aasted Sørensen Mar 25 '13 at 13:43
  • @Henrik can you tell as well how we can use JarVerifier ? – Mihir Sep 01 '13 at 11:14
  • 1
    @Mihir Its interface is relatively simple. A minimal example is `JarFile jarfile = new JarFile(applet); JarVerifier.verify(jarfile, trustedCertificates );`. Note that I have omitted a lot of exception handling and stuff. `trustedCertificates`is a `List` of X509 certificates. Hope that helps. – Henrik Aasted Sørensen Sep 01 '13 at 11:29

2 Answers2

0

Assuming you just want to know whether a jar is signed or not (without verifying the signature itself) this snippet should work:

  boolean isJarSigned(JarFile jarFile) {
    try {
      final Manifest man = jarFile.getManifest();
      if (man == null)
        return false;

      // getEntries will contain all signed files
      return !man.getEntries().isEmpty();
    } catch (Throwable t) {
      t.printStackTrace();

      return false;
    } finally {
      // Make sure the jarFile gets always closed
      try {
        if (jarFile != null)
          jarFile.close();
      } catch (IOException e) {
        e.printStackTrace();
      }
    }
  }

Btw I know that I'm 3 years late with that answer but I was desperately looking for it myself so I thought I might aswell just post my solution.

BrainStone
  • 3,028
  • 6
  • 32
  • 59
  • A non-empty manifest doesn't imply a signed JAR file. There's not much point in omitting the signature verification step. – user207421 Jul 05 '16 at 09:39
  • @EJP ``Manifest.getEntries()`` does not contain the main attributes like ``Created-By`` etc. As of Java 8 it only returns the entries you would not get from ``Manifest.getMainAttributes()``. I recommend you to check the Javadocs on these methods and ``Manifest.getAttributes(String)`` – BrainStone Jul 05 '16 at 09:45
0

You stopped halfway down the page you cited. You missed the part where the signature is verified.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • The OP did not ask for a verification of the signature. The question plainly asks how to determine whether a jar has a signature or not. If it has one verifying it usually makes sense. But if you want to check whether a jar is signed or not because you verify the signature at some other point in your code you certainly do not need to iterate over the contents of a jar. – BrainStone Jul 05 '16 at 09:50
  • @BrainStone A signature that isn't valid isn't really a signature at all. A technique that returns false positives isn't any use to anyone. – user207421 Jul 06 '16 at 00:39