If a JAR file is digitally signed, does the signature become part of the manifest file?
A:
Apparently the answer is yes: "Developers can digitally sign JAR files. In that case, the signature information becomes part of the manifest file." (http://en.wikipedia.org/wiki/JAR_%28file_format%29)
Gina
2010-05-06 10:03:47
+1
A:
Almost. Actually it is not the JAR file which is signed, but its contents.
Technically, the individual files in the JAR archive which are to be signed are hashed with a suitable hash function (e.g. SHA-1). The hash value are reported in the manifest. Then an extra file is added (an *.SF file) in the META-INF/ directory; that file contains entries for each of the signed files: each entry contains the hash of the corresponding entry in the manifest (so it is, more or less, a hash of hash). The *.SF also contains an entry containing the hash of the main headers in the manifest. Finally, the *.SF file is itself signed, resulting in an *.RSA or *.DSA file (itself in the META-INF/ directory) which follows the CMS format (previously known as "PKCS#7"). CMS relies on the whole paraphernalia of X.509 certificates.
So this is rather indirect. What must be understood is that only individual files in the JAR are signed; there can be a mixture of signed and unsigned parts in a given JAR file.
Thomas Pornin
2010-05-06 15:24:48