Signing a jar is basically used to verify a trusted source. When you sign a jar with your digital signature (based on your private key), you place a mark into the jar file that could not have been done by anyone but you.
The signature is also a checksum of the Jar file, so if the jar get corrupted or modified in transit, the signature is invalid.
On the other side, your public key is placed into the keystore of the system that trust you. This will be used to verify your signature.
Currently, I believe this is mainly used for applets. Using signed jar files, and setting security properties on client browsers, applets can have access to disk, network, and other stuff that they don't normally have access to.
The signature is also a checksum of the Jar file, so if the jar get corrupted or modified in transit, the signature is invalid.
On the other side, your public key is placed into the keystore of the system that trust you. This will be used to verify your signature.
Currently, I believe this is mainly used for applets. Using signed jar files, and setting security properties on client browsers, applets can have access to disk, network, and other stuff that they don't normally have access to.
There are many ways by which you can sign a JAR file using jarsigner. One way would be:
jarsigner -keystore C:\working\mystore -signedjar sbundle.jar bundle.jar johnOn executing the command, you will be prompted for the store password and the private key password. Here, bundle.jar represents the jar file you'd like to sign using the private key of the user whose keystore alias is "john" in the keystore named "mystore" located in the directory c:\working. For details, see the jarsigner documentation.
No comments:
Post a Comment