I have a zip file containing a number of jar files that is being downloaded from an HTTPS site.
The jars form a command line driven, server side application. I have a Java written application installer that does some checks to verify that the jars are signed using a particular trusted digital certificate and have not been modified during their transport.
Is it it necessary to verify the jar files upon receipt, or is this something the JVM does anyway? I know the JVM verifies the byte code, but what about jar signing?