How to make prevent public key inside jar to be saved using Java code

Question

After signing a jar , we can retrieve the public keys from jar using

Certificate[] cert = jarentry.getCertificates();

Once certificate is extracted we can save this to a new keystore as trusted cert.

Once this is done , then second user can sign any jar using this certificate , isn't ?

I want to distribute content as jars , contents will contain properties files for a application init.

I want to make sure that an user is not capable to rebuilding the property files using the certificate he extracted from jarentry.

In the code which reads the jar contents i am checking that jar is signed with my certificate only and also checking that jar is not tampered with .

But the issue came to my mind that if i am able to extract the cerificate from jar then why don;t a third guy ?

Can any one help me in this............

Answer 1

Once this is done , then second user can sign any jar using this certificate , isn't ?

No, you need the private key to be able to sign a JAR. You can't sign a JAR with just the public key. Ofcourse the private key is not in the certificate.

See Signing and Verifying JAR Files in Sun's Java Tutorials, it explains the principles and how to do it in detail.