2

I'm looking into how jarsigner works and the purpose of each file in the META-INF folder. As I understand, MANIFEST.MF contains a listing of every file in the zip/jar along with a digest of it. The *.SF file contains a digest of the manifest file, and a listing of every file along with a digest of the section of that file in the manifest. Finally, the *.DSA/RSA file contains a digital signature of the .SF file. My question is, why is there a need for a SF file? What advantage does it have over simply signing the manifest file and storing that in the .RSA/DSA file?

Any change to a file name or content or file deletion would cause a change to the manifest and hence an invalid signature.

F.A.
  • 602
  • 1
  • 7
  • 15
  • What format would the signature have and how would you validate every other file in the jar? *What advantage does it have?* What problem are you actually trying to solve? – Elliott Frisch Oct 04 '16 at 21:51
  • The signature file is generated by signing the binary contents of the SF file. If there's no SF file, the signature file would be generated by signing the binary contents of the manifest file. _What problem are you actually trying to solve?_ Just looking to understand a tool before I use it – F.A. Oct 04 '16 at 21:55
  • 1
    The manifest file doesn't have a field for signatures. They could have added one (I suppose), but they didn't (usual reasons given are fear of breaking old code). As for the implementation in Java, you seem to know it already. So what can we help you with? – Elliott Frisch Oct 04 '16 at 21:57
  • The .SF file also doesn't have a field for signatures. It's just a re-hashing of the manifest file. – F.A. Oct 04 '16 at 21:58
  • And it therefore is isomorphic to the manifest file, without modifying the manifest file (or the manifest file format). – Elliott Frisch Oct 04 '16 at 21:59
  • Right, so if it is isomorphic to the manifest file, why did the makers of jarsigner decide that they needed to create an intermediary SF file instead of just signing the manifest? – F.A. Oct 04 '16 at 22:00

1 Answers1

0

It is possible to add files to jar file at anytime using jar tool. In each such case the MANIFEST.MF file is updated. If MANIFEST.MF file was the one that was signed, the signature would be invalid. However with separate *.SF file the signature can still be verified, provided the files listed in *.SF file have not been changed.

Marian Nasry
  • 821
  • 9
  • 22