views:

53

answers:

2

If a JAR file is digitally signed, does the signature become part of the manifest file?

A: 

Apparently the answer is yes: "Developers can digitally sign JAR files. In that case, the signature information becomes part of the manifest file." (http://en.wikipedia.org/wiki/JAR_%28file_format%29)

Gina
+1  A: 

Almost. Actually it is not the JAR file which is signed, but its contents.

Technically, the individual files in the JAR archive which are to be signed are hashed with a suitable hash function (e.g. SHA-1). The hash value are reported in the manifest. Then an extra file is added (an *.SF file) in the META-INF/ directory; that file contains entries for each of the signed files: each entry contains the hash of the corresponding entry in the manifest (so it is, more or less, a hash of hash). The *.SF also contains an entry containing the hash of the main headers in the manifest. Finally, the *.SF file is itself signed, resulting in an *.RSA or *.DSA file (itself in the META-INF/ directory) which follows the CMS format (previously known as "PKCS#7"). CMS relies on the whole paraphernalia of X.509 certificates.

So this is rather indirect. What must be understood is that only individual files in the JAR are signed; there can be a mixture of signed and unsigned parts in a given JAR file.

Thomas Pornin