Signed jar files

Signed jar files In a Java 2 environment, can detect digital signatures on jar files. When attempting to load a class from a signed jar file stored in the database, will verify the validity of the signature. Jar filesloading signed Signed jar files The class loader only validates the integrity of the signed jar file and that the certificate has not expired. cannot ascertain whether the validity/identity of declared signer is correct. To validate identity, use a Security Manager (i.e., an implementation of java.lang.SecurityManager).

When loading classes from an application jar file in a Java 2 environment, behaves as follows:

If the class is signed, will:
- Verify that the jar was signed using a X.509 certificate (i.e., can be represented by the class java.security.cert.X509Certificate). If not, throw an exception.
- Verify that the digital signature matches the contents of the file. If not, throw an exception.
- Check that the set of signing certificates are all valid for the current date and time. If any certificate has expired or is not yet valid, throw an exception.
- Pass the array of certificates to the setSigners() method of java.lang.ClassLoader. This allows security managers to obtain the list of signers for a class (using java.lang.Class.getSigners) and then validate the identity of the signers using the services of a Public Key Infrastructure (PKI).

does not provide a security manager.

For more information about signed jar files, see the Java 2 specifications at http://java.sun.com.

For more information about Java 2 security, go to http://java.sun.com/security/.