If a JAR file is digitally signed, does the signature become part of the manifest file?
Apparently the answer is yes: "Developers can digitally sign JAR files. In that case, the signature information becomes part of the manifest file." (http://en.wikipedia.org/wiki/JAR_%28file_format%29)
Almost. Actually it is not the JAR file which is signed, but its contents.
Technically, the individual files in the JAR archive which are to be signed are hashed with a suitable hash function (e.g. SHA-1). The hash value are reported in the manifest. Then an extra file is added (an *.SF
file) in the META-INF/
directory; that file contains entries for each of the signed files: each entry contains the hash of the corresponding entry in the manifest (so it is, more or less, a hash of hash). The *.SF
also contains an entry containing the hash of the main headers in the manifest. Finally, the *.SF
file is itself signed, resulting in an *.RSA
or *.DSA
file (itself in the META-INF/
directory) which follows the CMS format (previously known as "PKCS#7"). CMS relies on the whole paraphernalia of X.509 certificates.
So this is rather indirect. What must be understood is that only individual files in the JAR are signed; there can be a mixture of signed and unsigned parts in a given JAR file.