Re: Verifying signed jar files from C

Subject: Re: Verifying signed jar files from C
From: Michael Hall <email@hidden>
Date: Mon, 8 Jan 2007 05:06:02 -0600
Delivered-to: email@hidden
Delivered-to: email@hidden


On Jan 7, 2007, at 8:58 PM, Paul J. Lucas wrote:

On Jan 7, 2007, at 6:48 PM, Michael Hall wrote:
On Jan 7, 2007, at 7:30 PM, Paul J. Lucas wrote:
I've done a lot of Google searches and I haven't been able to find any information on doing what I want. (I only find stuff on signing applets and verifying jar files with the jarsigner command-line tool.)

Run the jarsigner tool and parse the standard out.
And I have permission from Apple to distribute the jarsigner binary?

I can't speak for Apple but I don't think OS X would be your concern. The JDK tools including jarsigner are always there. For other platforms you might need to require the JDK tools be installed. Otherwise maybe do enough native verification to assure yourself that the jar remains valid. For instance that It still has the correct manifest and signature files. You would need to look at the jar signing mechanism in more detail. Possibly you can tell if it's ok without doing any native crypto, Say if the file indicates in plain text that the signatures are done by "Originating.com" and thats what you want then you can trust the java runtime to correctly verify the actual signature is for Originating.com. I haven't looked at the jar spec for signing in detail enough to say if there's anything that would serve this functionality. There might be other java options that are acceptable as far as including permission checks in the code, secure class loaders that verify certificates. I would probably start with "Java Security" - Scott Oaks, O'Reilly if this was my task. If you have no confidence that the java can be completely secured you could find or write native C packages to do the same verification. Or duplicate some of the functionality in some other way. Hash and encrypt the manifest and save that off somewhere. Maybe as data linked into your native. Possibly using some license code as the key for the encryption. Then decrypt and compare the hash to the current manifest. You'll need zip i/o code for that. zlib maybe, open source zip file native code. It could probably be done but I think native code can also be disassembled, recompiled, re-linked. So you have to decide when you've put enough effort into protecting what you have. There are I think 3rd party packages for licensing java code as well as installers. You might look into those.

Mike Hall        mikehall at spacestar dot net
http://www.spacestar.net/users/mikehall
http://sourceforge.net/projects/macnative

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References:
	>Verifying signed jar files from C (From: "Paul J. Lucas" <email@hidden>)
	>Re: Verifying signed jar files from C (From: Michael Hall <email@hidden>)
	>Re: Verifying signed jar files from C (From: "Paul J. Lucas" <email@hidden>)

Prev by Date: Re: Verifying signed jar files from C
Next by Date: Where should you put log files for easy user access ?
Previous by thread: Re: Verifying signed jar files from C
Next by thread: Re: Verifying signed jar files from C
Index(es):
- Date
- Thread

Home