3

When I remove a file from a signed jar file its signature still validates. Furthermore when I tamper with a file in the jar file although it cannot validate the signature it still runs via java -jar.

Steps to reproduce:

  1. Download an example jar https://docs.oracle.com/javase/tutorialJWS/samples/deployment/dynamictree_webstartJWSProject/DynamicTreeDemo.jar
  2. see it's signature is valid jarsigner -verify DynamicTreeDemo.jar
  3. delete an html file from the jar
  4. see it's signature is still valid jarsigner -verify DynamicTreeDemo.jar
  5. change something in an html in the jar
  6. see it's signature is not valid anymore jarsigner -verify DynamicTreeDemo.jar
  7. however it runs without any problem via java -jar DynamicTreeDemo.jar

The question is why?

I'd expect it to be invalid at step 4 and would expect a security exception at step 7.

destan
  • 4,301
  • 3
  • 35
  • 62
  • 2
    Perhaps [this](http://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html): `A verification is still considered successful if none of the files that were in the JAR file when the signature was generated have been changed since then, which is the case if the hashes in the non-header sections of the .SF file equal the hashes of the corresponding sections in the manifest file.` – Marc B May 26 '16 at 14:03
  • @MarcB thanks that certainly explains step 4, what about step 7? – destan May 26 '16 at 14:04
  • 1
    @destan I have issues with this as well. I ended up just writing some logic to check if files exist that shouldn't and files were removed. The Manifest if tampered with I.E deleting a entry will pop an exception. So I can use the manifest and see what classes are missing. I would post the code, but I am not at home right now. – Mr00Anderson May 26 '16 at 14:08
  • @Underbalanced thanks, no need for code. I just try to understand if I missed smth. However it seems absurd, what's the use of signature then? – destan May 26 '16 at 14:12
  • @destan Well think of this.... If you remove a file will your application really work anyways? Signatures are for clients to verify your code has not been tampered with. If a file is deleted or added, is that going to mess with your applications integrity or will it just fail for missing a file? If someone else host your jar and writes malicious byte-code into the class file, that's where a signature is good. I use Signatures in a ghetto way. I use it to insure people do not cheat on my clients. So I wrap the obfuscated signature code in obfuscated native binaries that are encrypted by c++. – Mr00Anderson May 26 '16 at 14:17
  • @Underbalanced well did you check step 5 to 7. That contradicts your expectations, doesn't that? – destan May 26 '16 at 14:20
  • 1
    @destan Those do not surprise me. I am looking for the reason why since I do not remember off the top of my head. [Oracle Forms - A Closer Look at the JRE Security Warning(s) Related to JAR Signing and Manifests](https://blogs.oracle.com/proactivesupportDevTools/entry/a_closer_look_into_jre). The signing is for applets – Mr00Anderson May 26 '16 at 14:26

0 Answers0