Date: Tue, 26 Jan 1999 09:34:29 -0800 (PST)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: JSECURITY Issue: Jarsigner Verification
To: java-security@java.Sun.COM, webmaster@java.Sun.COM,
When you use the "-verbose" option for verification, you'll
see the information you are looking for, for example:
% jarsigner -verify -verbose test.jar
183 Tue Jan 26 09:26:56 PST 1999 META-INF/MYKEY.SF
555 Tue Jan 26 09:26:56 PST 1999 META-INF/MYKEY.DSA
0 Thu Jan 21 17:03:30 PST 1999 META-INF/
smk 1008 Thu Jan 21 16:59:56 PST 1999 Test.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
This will show if any of the public keys used for verification
have been stored in your keystore, i.e., have been authenticated.
This is done per class in the JAR file.
Jan
> Date: Mon, 25 Jan 1999 23:10:00 GMT
> From: <dgugpta@hotmail.com>
> To: java-security@java.sun.com, webmaster@java.sun.com,
jfm-archive@webmaker.eng.sun.com
> Subject: JSECURITY Issue: Jarsigner Verification
>
> Name: Deepak Gupta
> Email: dgugpta@hotmail.com
> Organization: TISL
> Phone Number: 1-919-677 1878
> Location: North America
> System: WinNT
> Referring URL: http://java.sun.com/cgi-bin/search.cgi
> Browser: Netscape
> Browser Version: 4.05
>
> Hi,
> The tutorial at the site
http://java.sun.com/docs/books/tutorial/security1.2/toolfilex/rstep2.html
> says that the contract is verified once the certificate is imported by the
receiver and is verified using jarsigner. But the jarsigner only verifies the
signature present on the jar file. It does not match it with the certificate
present in the keystore. So even if I donot import the certificate, the result
is still->jar verified. This is true even if the receiver does not have ANY
keystore. jarsigner does not verify the person who has signed it. Infact, if the
contract is hacked in between, changed, original signature files deleted and
signed by any key with the same alias, the jar will still say VERIFIED. So this
is not the way to send contract files securely. ..........