views:

175

answers:

1

I have a zip file containing a number of jar files that is being downloaded from an HTTPS site.

The jars form a command line driven, server side application. I have a Java written application installer that does some checks to verify that the jars are signed using a particular trusted digital certificate and have not been modified during their transport.

Is it it necessary to verify the jar files upon receipt, or is this something the JVM does anyway? I know the JVM verifies the byte code, but what about jar signing?

+1  A: 

It depends on how the jars are being used.

If the jars are eventually loaded by a classloader, the classloader might perform verification of the signature. If the classloader happens to be an instance of URLClassLoader, then it will perform verification of the signature.

If you utilize the JarFile class in the Java API to access the JARs, then using the simple constructors that accept String or File arguments will result result in verification being performed. One must explicitly switch off verification, if needed.

Vineet Reynolds