2

I have a Java Desktop application. I'm trying to find a way to download updated jars, and run them without my users having to completely re-install their application. I need to do this safely, and want to verify that 1. the Jars I run haven't been modified, and 2. the Jars I run were signed by me.

Because of how MSIX works, and the new standards for mac os applications, I either can't, or am not supposed to modify my application directories, meaning that I have to save my new jars in an unsafe location, like the User Data directory, or the home directory, where any application can modify them.

How can I ensure that the JVM only runs signed jars, validates them, and only allow signed jars by me?

Scott Pierce
  • 61
  • 4

1 Answers1

-1

Pseudo

  1. Create unit-test or some function
  2. Read file signer
  3. Match/decrypt

Those links might helps

  1. https://www.tutorialspoint.com/java_cryptography/java_cryptography_creating_signature.htm
  2. https://docs.oracle.com/javase/tutorial/deployment/jar/intro.html
NoUserNoName
  • 35
  • 4
  • 1
    The tutorial you sent me is for signing a message, not a jar. Also, I understand how to sign a jar. I don't think this answers my questions, which are 1. How do I ensure the JVM validates the signatures of the Jars I run (this might just happen automatically for any signed jar)? 2. How do I ensure that all that jars the app runs are signed by me? i.e. I don't want someone to just be able to replace a jar with their own signed jar. – Scott Pierce Mar 25 '23 at 02:50