Signing JAR files

KE-Qiang Liao (cliao@nortel.ca)
11 Jul 1997 09:55 EDT

Message-Id: <199707111354.GAA27500@java1.javasoft.com>
Date: 11 Jul 1997 09:55 EDT
To: java-security@web2.javasoft.com
From: "KE-Qiang Liao" <cliao@nortel.ca>
Subject: Signing JAR files

Hi,

I have several question on signing JAR files.

1. In the document <<Manifest Format>>, it is said that we can sign
portions of a JAR file. By using javakey, can we do it? It seems to
me that if we use javakey, we sign the whole JAR file.

2. I remember that I have seen somewhere that we sign only class files
in a JAR file. Is that true? I have tried javakey tool to sign a JAR.
The extracted xxxxSIG.SF file indicated that all files in the JAR were
signed.

3. In the document <<Manifest Format>>, it says that each signer is
represented by a signature. It seems to me that there is only one
signature file (xxxSIG.SF + xxxSIG.DSA) per signer per JAR file and
in the signature file (xxxSIG.SF), we have a block for each signed
file contained in the JAR file. Am I right?

I thank you in advance for your answer.

Christian Liao
Nortel (Northern Telecom)
Canada