5

I noticed that in the keytool documentation it reads "jarsigner [...] checks whether or not the public key of that certificate is 'trusted', i.e., is contained in the specified keystore." whereas the jarsigner manpage states "A keystore is not required when verifying [...]", and that the utility will always verify against the certificate supplied with the jar. In the way I see it that would kind of defeat the purpose, since it would only certify that the jar was not altered since it was signed but not that it was signed by some specific authority/supplier.

Is there some way to make the verification fail if the certificate used to sign the jar is not known/trusted on the runtime system? Or do I have to use a script to call jarsigner -verify -verbose -keystore ... and parse the output to see whether there is an entry for the signing certificate in the local (runtime) keystore?

Confused, Peter

Peter G.
  • 51
  • 3
  • are you able verify jar using jarsigner against specific keystore/certificate if not fail. If you done let me know how you done – satish Nov 06 '20 at 15:51

1 Answers1

0

jarsigner utility is quite useless for JAR signature verification, as it does not verify the signer certificate, does not check trusted timestamps on the signature and does not provide usable result (parsing console output is not a good solution).

To avoid this limitations we have chosen to write our own verify_jar utility.

Jacek Konieczny
  • 8,283
  • 2
  • 23
  • 35