Re: Signing JAR files

Gigi Ankeny (Gigi.Ankeny@Eng)
Fri, 11 Jul 1997 12:35:49 -0700 (PDT)

Date: Fri, 11 Jul 1997 12:35:49 -0700 (PDT)
From: Gigi Ankeny <Gigi.Ankeny@Eng>
Subject: Re: Signing JAR files
To: java-security@web2.javasoft.com, cliao@nortel.ca

>
> 1. In the document <<Manifest Format>>, it is said that we can sign
> portions of a JAR file. By using javakey, can we do it? It seems to
> me that if we use javakey, we sign the whole JAR file.
>
No, you can do that with the current javakey tool, however the manifest format
is still valid and we are working on providing more powerful tool in the near
future to include those kinds of functionalities.

> 2. I remember that I have seen somewhere that we sign only class files
> in a JAR file. Is that true? I have tried javakey tool to sign a JAR.
> The extracted xxxxSIG.SF file indicated that all files in the JAR were
> signed.
>
No, it is not true that you can only sign class files.


> 3. In the document <<Manifest Format>>, it says that each signer is
> represented by a signature. It seems to me that there is only one
> signature file (xxxSIG.SF + xxxSIG.DSA) per signer per JAR file and
> in the signature file (xxxSIG.SF), we have a block for each signed
> file contained in the JAR file. Am I right?
>
> I thank you in advance for your answer.
>
The files that one signer signs is authenticated by its SIG.SF and SIG.DSA,
i.e. if you have two signers Alice and Bob both wants to sign this jar file,
, then you would end up with AliceSIG.SF + AliceSIG.DSA and BobSIG.SF and
BobSIG.DSA.

I hope that helps.
would use the javakey to do it twice and end up with

> Christian Liao
> Nortel (Northern Telecom)
> Canada
>

-- 
Gigi Lee     security group engineer
Rm 1436, MailStop UCUP02-102
JavaSoft, 20525 Marianni Blvd. Cupertino, CA 95014
mailto:gigi.ankeny@eng.sun.com 
HomePage: http://java.sun.com/people/gigi/
          http://www-cs-students.stanford.edu/~gigi
Phone: (408) 863-3135  Fax: