0

I have problems with signing jar files. I have some files in META-INF directory and they do NOT get signed when I use jarsigner, but then, the verification fails because of unsigned entries.

I'm not creating the jar, so I cannot change its structure and/or remove files.

How to get files from META-INF signed?

Here is the part of build.xml file that is manipulating the JAR file:

1345           <jar destfile="${proj.build.webui.war.dir}/name.jar"
1346               update="true">
1347               <manifest>
1348                   <attribute name="Permissions"
1349                       value="all-permissions"/>
1350                   <attribute name="Codebase" 
1351                       value="*"/>
1352                   <attribute name="Trusted-Library"
1353                       value="true"/>
1354               </manifest>
1355           </jar>
1356           <!-- sign the jar files -->
1357           <chmod perm="u+x">
1358               <fileset dir="${proj.buildtools.dir}">
1359                   <include name="DsJarSigner"/>
1360               </fileset>
1361           </chmod>
1362           <signjar destDir="${proj.build.webui.war.dir}"
1363               alias="encryptedAlias"
1364               keystore="${proj.buildtools.dir}/keystore.jks"
1365               storepass="encryptedPassword"
1366               executable="${proj.buildtools.dir}/DsJarSigner"
1367               preservelastmodified="true" >
1368               <path>
1369                   <fileset dir="${proj.build.webui.war.dir}" includes="name.jar" />
1370               </path>
1371               <flattenmapper />
1372           </signjar>

DsJarSigner is a simple Java program calling jarsigner.

Woland
  • 111
  • 1
  • 2
  • 9
  • jarsigner should sign the jar as a whole. What command do you give and what error message do you get? – S.L. Barth Jun 24 '14 at 13:19
  • I'm using ant task, so I'm not really sure what is the exact command. After signing, new entries appear in the manifest like "Name: SHA1-Digest: LzA8be0iXjzymZZkAu/AeNM9yuQ=". But there are no such entries for files from META-INF. Then, when I try to verify the jar (for example use it in as an applet, I get the security exception about not signed entries. The exception is not thrown if I manually remove all files from META-INF except the manifest and 2 signing-related files. – Woland Jun 24 '14 at 13:34
  • Show us the section of the build.xml starting from when the Jar is created, to the last action on the Jar. This is usually caused by dong things in the wrong order. E.G. indexing the Jar entries after the code is signed. – Andrew Thompson Jun 25 '14 at 09:28
  • I've added a part of build.xml to the question. Note that I'm not creating the jar and cannot modify its structure. – Woland Jun 25 '14 at 10:38

1 Answers1

0

It looks like your jarsigner skips the files in META-INF. There is not much you can do besides using another signer. For example, jarsigner from OpenJDK 8 skips some files from META-INF, which it considers "signature-related", but not others. I observed jarsigners from Oracle JDKs doing the same.

Konstantin Shemyak
  • 1,878
  • 1
  • 17
  • 34