How do I force jarsign to sign jarfiles?

Question

Our product is halted at Java version 1.5.0_13 and we would like to upgrade. Our software deploys a large number of jars via Java Web Start; all of these jars must be signed. However, a couple of the jars do not contain class files, and starting with Java version 1.5.0_14, it appears that the jarsign utility chooses not to sign any jar that does not contain class files.

What can I do to force jarsign to sign these jars? Or what can I do to distribute these jars through Java Web Start without signing them? And is there anywhere where this change to jarsign with versions 1.5.0_14 and above is documented? I can't find it in the release notes.

Answer 1

You can put dummy class files in if you need to. Probably distasteful but maybe necessary.

Answer 2

It's a long shot, but the SignJar Ant task might be able to convince jarsign to do the right thing. There's a bunch of options there that might tip the balance.

Answer 3

I'm not able to verify that there is any problem. Can you look through and see what might be different in your environment? I'm running on Windows 7 RC.

Let's check the version:

C:\temp>java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)

Let's see what'll be in our jar:

C:\temp>dir /s /b com
C:\temp\com\rdc
C:\temp\com\rdc\test
C:\temp\com\rdc\test\logging.properties

Let's make the jar:

C:\temp>jar -cfv test-source.jar com/*
added manifest
adding: com/rdc/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/logging.properties(in = 13) (out= 15)(deflated -15%)

Let's sign the jar: I'm using a self-signed certificate.

C:\temp>jarsigner -signedjar test-dest.jar test-source.jar vinay
Enter Passphrase for keystore:

Warning: The signer certificate will expire within six months.

Let's see what's in our signed jar:

C:\temp>jar tvf test-dest.jar
   155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF
   276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF
  1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA
     0 Wed Jul 15 23:37:18 BST 2009 META-INF/
     0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
     0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
    13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

OK, it certainly appears to have been signed, and it has no classes. Let's look at the contents of MANIFEST.MF:

Manifest-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)

Name: com/rdc/test/logging.properties
SHA1-Digest: Ob/S+a7TLh+akYGEFIDugM12S88=

And the contents of VINAY.SF:

Signature-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY+fnoS1V9bRPs=
SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw=

Name: com/rdc/test/logging.properties
SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ=

Now, let's verify the jar:

C:\temp>jarsigner -verify -verbose test-dest.jar

         155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF
         276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF
        1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA
           0 Wed Jul 15 23:37:18 BST 2009 META-INF/
           0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
           0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
smk       13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: This jar contains entries whose signer certificate will expire within
six months. Re-run with the -verbose and -certs options for more details.

On the face of it, everything appears to be in order. Can you check if your certificates have expired, or been revoked? Are you using self-signed certs or real certs? Or have I misunderstood what your problem is?

Answer 4

BTW, I tried the same thing as Vinay, but with the JDK 1.5.0_17 jarsigner, and a proper Verisign certificate, and got the same results. Jarsigner worked, and the jar verified using jarsigner -verify.

Answer 5

Adding about it : I'm using Java Web Start, and I have a jar which contains only images. With a JDK 1.6_05(07, 10, too), and an Ant generation, it is signed without a problem (with a self-signed cert). So, like others described, it doesn't seem to be linked to the jar containing .class files or not.

Answer 6

For anyone searching on this issue, we determined it only affects certain later versions of Java 1.5, those from 1.5.0_14 onward, I believe. It appears to be fixed in the latest versions of 1.5, and is definitely fixed in 1.6.