以编程方式验证和签名Jar [英] Verify and Sign a Jar programmatically

问题描述

我是这个主题的新手，所以我希望我使用正确的词汇. 是否有可能在Java self中获得Jarsigner的可能性?

I am new to this topic, therefore I hope I use the right vocabulary. Is it possible to get the possibility of Jarsigner within Java self?

我需要以编程方式执行以下操作:

I need the possibility to do the following things programatically:

• 验证罐子是否已使用密钥库中的特定私钥签名
• 如果罐子被验证:取消罐子的签名
• 使用来自官方证书颁发机构的另一个私钥在罐子上签名，该私钥位于同一密钥库中或另一个密钥库中

在伪代码中，我想像这样:

In pseudo-code I imagine something like this:

JarVerifier verifier = new JarVerifier(/*all needed parameters like the location of the keystore*/);
verifier.verify(jarFile); //returns a value which indicates the result (an Enum or an integer value)

对jar进行签名应该以类似的方式进行:

Signing the jar should work in a similar way:

JarSigner signer = new JarSigner(/*all needed parameters like the location of the keystore, passwords, alias*/);
signer.sign(jarFile);

我知道这是许多其他问题的重复，但是我对他们的回答不满意.在大多数情况下，这些答案的解决方案是自写类，对从OpenJDK找到的类的修改或提示仍需编写代码以及如何完成此操作的提示. 这对我来说是不可接受的，因为它们没有维护(或者我必须自己编写和维护类)，我对它们的正确性(尤其是如果我必须自己编写代码)和许可问题一无所知.

I know that this is a duplicate of many other questions, but I am not happy with their answers. The solution of these answers is in most cases a self-written class, a modification of a class found from OpenJDK or a hint that the code needs still to be written and how this can be done. This is not acceptable for me, because they are not maintained (or I have to write and maintain the classes myself), I know nothing about their correctness (especially if I have to write the code myself) and license issues.

我没有得到的是，Oracle似乎没有提供简单的解决方案，特别是因为这是一个至关重要的主题，在该主题中错误可能导致系统不安全.

What I don't get is that there seems to be no easy solution provided by Oracle, especially as it is such a critical topic, where an error might lead to an insecure system.

推荐答案

我尝试亲自回答问题.

验证

要验证Jar，似乎没有一个好的即用型解决方案.因此，需要编写自己的代码.

To verify the Jar there seems not be be a good ready-to use solution. Therefore own code needs to be written.

签名

有一个Ant任务 SignJar 可以对jar进行签名，可以在Java内部使用Ant任务

There is the Ant Task SignJar which is able to sign jars and it is possible to use Ant Tasks inside Java

签名罐子的类如下所示:

The class to sign the jars can look like this:

public class JarSigner extends SignJar {

public JarSigner() {
    project = new Project();
    project.init();
    taskType = "signJar";
    taskName = "signJar";
    target = new Target();
}

public static void signJar(File jarToSign, String alias, String keypass, String keystore, String storepass) {
    JarSigner signer = new JarSigner();
    signer.setJar(jarToSign);
    signer.setAlias(alias);
    signer.setKeypass(keypass);
    signer.setKeystore(keystore);
    signer.setStorepass(storepass);
    signer.setSignedjar(jarToSign);
    signer.execute();
}
}

取消签名

还不需要它.

这篇关于以编程方式验证和签名Jar的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！