Java Security: Multiple Signatures for a JAR File

Note that signing JAR file does not change the content of constituent files; it merely adds some additional files containing information which may be used for verification. This implies that a JAR may be signed at times as we wish. Every time we sign a JAR, a pair of signature (.SF) and signature block file (.DSA or .RSA or .EC) is created. For example, our resultant test.jar can be signed further using a separate keystore alias Jerry as follows:

jarsigner -keystore test.jks -storepass 123456 test.jar jerry

This adds to additional files jerry.sf (signature file) and jerry.rsa (signature block file) in the directory meta-inf. This can be verified using the following command:

jar tvf test.jar

A sample output of the above command is shown below:

This indeed shows that two more files have been added. Make sure that the keystore file has an alias named jerry. If it doesn’t exist, create it using the following command:

keytool -genkey -alias jerry -keyalg RSA -keystore test.jks -storepass 123456 –

keypass 123456 -dname ”CN=Jerry, OU=IT, O=JU, L=Kolkata, ST=WB, C=IN”

Source: Uttam Kumar Roy (2015), Advanced Java programming, Oxford University Press.

Leave a Reply

Your email address will not be published. Required fields are marked *