4

I am new to this topic. I am developing Java standalone application. After the distribution is ready it consists of a set of jars. Is there a good pattern to check whether jars have been modified?

I was reading about signing jars and Trusted-Only attribute in the Manifest. It seems to be more an information to the user that app/applet is from trusted publisher.

I would like to prevent app from starting up if it detects that jars have been altered / are not signed properly.

Piotr
  • 624
  • 1
  • 9
  • 18
  • Are you trying to create some sort of copy protection/anti-tampering mechanism? – Kayaman Sep 08 '16 at 15:50
  • Do you try to prevent attacks by modified code or just errors by defect JAR files? – Robert Sep 08 '16 at 16:01
  • You can make it difficult for an average user to modify things, but if someone can modify the .jar, they can modify your class and remove any verification code. – VGR Sep 08 '16 at 16:16
  • Yes, basically the idea was to at least get the information that not all application jars are signed by me. Of course in case of advanced user, he could change this specific code fragment but I wanted to prevent basic exploits. – Piotr Sep 09 '16 at 06:11
  • Is `Trusted-Only` valid only when deploying webstart/applets (the warning window) ? As I've said it's a standalone app with Windows/Linux installers distributed as a set of jars. – Piotr Sep 09 '16 at 07:00

1 Answers1

-1

Not an exact answer to your query but You can explore ProGuard (http://proguard.sourceforge.net) which makes reverse engineering hard. This will safeguard your jar file.

Vikas Jindal
  • 249
  • 3
  • 12
  • I appreciate critical review/downvoting. Not sure about downvoting here because in my response I admitted it may not be the exact answer of questions but provided information may be helpful. – Vikas Jindal Sep 08 '16 at 16:07
  • Found similar question [here](http://stackoverflow.com/questions/17711671/detect-java-jar-code-tampering) – Vikas Jindal Sep 08 '16 at 16:10