Is it valid to sign a Java war file and include the MANIFEST.MF in <war root>/META-INF

Question

I am looking to sign a war file for distribution via Java Web Start.

As I understand it, the jar signer tool ignores the contents of the META-INF directory so that the signing process does not change the digest value of the jar file.

Will this same process work for a war file? I've never used a META-INF directory in the root of a war file, and I'm not sure it is legal to do so.

Even if it is, will this be accepted by the Webstart security manager as a properly signed file?

Thanks in advance,

Rob.

Answer 1

jarsigner doesn't ignore the whole META-INF directory. Following files are not included in the signature,

• META-INF/MANIFEST.MF
• META-INF/SIG-*
• META-INF/*.SF
• META-INF/*.DSA
• META-INF/*.RSA

It doesn't know anything about WAR. If you sign the WAR, it will be treated as JAR so all the rules will apply.

It's perfectly legal to have a META-INF in the root of WAR. That's where context.xml resides.

I don't even know Web Start supports WAR. It sounds like you are trying to deploy web servers using Web Start. That's an interesting idea.