I've done a lot of Google searches and I haven't been able to
find any information on doing what I want. (I only find stuff on
signing applets and verifying jar files with the jarsigner
Run the jarsigner tool and parse the standard out.
And I have permission from Apple to distribute the jarsigner binary?
I can't speak for Apple but I don't think OS X would be your concern.
The JDK tools including jarsigner are always there.
For other platforms you might need to require the JDK tools be
Otherwise maybe do enough native verification to assure yourself that
the jar remains valid. For instance that It still has the correct
manifest and signature files. You would need to look at the jar
signing mechanism in more detail. Possibly you can tell if it's ok
without doing any native crypto, Say if the file indicates in plain
text that the signatures are done by "Originating.com" and thats what
you want then you can trust the java runtime to correctly verify the
actual signature is for Originating.com.
I haven't looked at the jar spec for signing in detail enough to say
if there's anything that would serve this functionality.
There might be other java options that are acceptable as far as
including permission checks in the code, secure class loaders that
verify certificates. I would probably start with "Java Security" -
Scott Oaks, O'Reilly if this was my task.
If you have no confidence that the java can be completely secured
you could find or write native C packages to do the same
verification. Or duplicate some of the functionality in some other
way. Hash and encrypt the manifest and save that off somewhere. Maybe
as data linked into your native. Possibly using some license code as
the key for the encryption. Then decrypt and compare the hash to the
current manifest. You'll need zip i/o code for that. zlib maybe, open
source zip file native code.
It could probably be done but I think native code can also be
disassembled, recompiled, re-linked. So you have to decide when
you've put enough effort into protecting what you have.
There are I think 3rd party packages for licensing java code as well
as installers. You might look into those.
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden