如何验证自签名jar上的签名？ [英] How to verify signature on self signed jar?

问题描述

我用我使用keytool生成的密钥对我的jar进行了签名。在运行时，如何验证jar还没有被修改？

I've signed my jar with a key that I generated using keytool. At runtime, how do I verify that the jar hasn't been modified?

目标是使用证书信息并验证自jar构建以来jar中的每个类都没有被修改过。这是运行时检查，因此包含代码的jar可以在用户文件系统的任何位置。

The goal is to use the certificate information and verify that each class in the jar has not been modified since the jar was built. This is a runtime check so the jar containing the code could be anywhere on the user's file system.

推荐答案

JarFile class嵌入jar验证程序。此代码段验证存档中所有条目的签名：

The JarFile class embeds the jar verifier. This code snippet verifies the signature of all entries in an archive :

JarFile jar = new JarFile("/path/to/myarchive.jar");
Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
    JarEntry entry = entries.nextElement();
    try {
        jar.getInputStream(entry);
    } catch (SecurityException se) {
        /* Incorrect signature */
        throw new Error("Signature verification failed", se);
    }
}

请注意，此代码验证了jar的完整性但是不会根据给定的密钥或证书验证签名。

Note that this code verifies the integrity of the jar but does not verifies the signature against a given key or certificate.

这篇关于如何验证自签名jar上的签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！