Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > jar signing

Reply
Thread Tools

jar signing

 
 
srinivas.veeranki@gmail.com
Guest
Posts: n/a
 
      12-18-2007
Hi All,

I made the jar signer using the following commands in the build.xml
<!-- For Signed Jars -->
<property name="alias" value="pluginsigner"/>
<property name="storepass" value="gis123"/>

And

<target name="sign" description="To sign the jars..." depends = "jar">
<signjar jar="${basedir}\DcvBuild\dcvclient.jar" alias="${alias}"
storepass="${storepass}"/>
</target>

It generates the signed jar successfully. But its not giving any
security to it. By using the decompiler I generated the jad file and
modified and saved that file as .java and recompiled generated source
file. I replaced the old .class file with new .class file. and made
the jar file. I replaced the old jar(signed) with new jar file. I am
to run my application with new jar file.

Is it possible to restrict the modification in the signed jar file.
and also my requirement is not to allow the application to run with
new jar. Is it possible.

Can you please suggest me. Thanks in advance...

Regards,

Srinivas.
 
Reply With Quote
 
 
 
 
Andrew Thompson
Guest
Posts: n/a
 
      12-18-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
...
>It generates the signed jar successfully. But its not giving any
>security to it. ...


1) Signing a jar does not inherently 'give security' to it.
A signed applet will prompt the user to allow full permissions,
but they can always refuse. A signed web start app. will
only get extra permissions if it requests them by specifying
j2ee-application-client-permissions or all-permissions
in the JNLP file (and the user agrees). A regular app.
does not have a security manager, and code signing
will not be checked.
2) So, are you running this as a standard application?
If that is the case, you might get the effect you want by
launching it using web start, which I presume would notice
the changed code, the invalid signature, and reject it.

BTW - did you run the code signing tools 'information mode'
on the second jar, to ask if it was correctly signed?

--
Andrew Thompson
http://www.physci.org/

Message posted via http://www.javakb.com

 
Reply With Quote
 
 
 
 
Andrew Thompson
Guest
Posts: n/a
 
      12-19-2007
Andrew Thompson wrote:
>...
>>It generates the signed jar successfully. But its not giving any
>>security to it. ...

...
>BTW - did you run the code signing tools 'information mode'
>on the second jar, to ask if it was correctly signed?


Ahh yes, there it is.
jarsigner -verify [ options ] jar-file
<http://java.sun.com/javase/6/docs/te...r.html#Options
>


--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.asp...neral/200712/1

 
Reply With Quote
 
srinivas.veeranki@gmail.com
Guest
Posts: n/a
 
      12-19-2007
On Dec 18, 5:23 pm, "Andrew Thompson" <u32984@uwe> wrote:
> (E-Mail Removed) wrote:
>
> ..
>
> >It generates the signed jar successfully. But its not giving any
> >security to it. ...

>
> 1) Signing a jar does not inherently 'give security' to it.
> A signed applet will prompt the user to allow full permissions,
> but they can always refuse. A signed web start app. will
> only get extra permissions if it requests them by specifying
> j2ee-application-client-permissions or all-permissions
> in the JNLP file (and the user agrees). A regular app.
> does not have a security manager, and code signing
> will not be checked.
> 2) So, are you running this as a standard application?
> If that is the case, you might get the effect you want by
> launching it using web start, which I presume would notice
> the changed code, the invalid signature, and reject it.
>
> BTW - did you run the code signing tools 'information mode'
> on the second jar, to ask if it was correctly signed?
>
> --
> Andrew Thompsonhttp://www.physci.org/
>
> Message posted viahttp://www.javakb.com


Hi,

I am running my application as a standalone app. How can i restrict
this using web start.

Can u plz suggest me?

What about the jobfuscate? Is it works for this. I tried with this but
but its not generating output jar. I am unable to process any files
using jobfuscate eventhought I set classpath.

Regards,
Srinivas.
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      12-19-2007
Here is the ANT I use for a simple Jar build and sign.

<target name="jar" depends="compile">
<genjar jarfile="${jar.file}">
<!-- include main class and all its dependencies -->
<class name="${main.class}" />
<!-- define the manifest -->
<manifest>
<attribute name="Main-Class" value="${main.class}" />
</manifest>
</genjar>

<!-- S I G N -->
<!-- get _your_ password from set jarsignerpassword=sesame -->
<!-- get _your_ code-signing certificate from set
cert=mindprodcert2007aprdsa -->
<property environment="env" />
<signjar jar="${jar.file}"
alias="${env.cert}" storepass="${env.jarsignerpassword}" />
</target>

--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      12-19-2007
On Tue, 18 Dec 2007 02:15:58 -0800 (PST), (E-Mail Removed)
wrote, quoted or indirectly quoted someone who said :

>It generates the signed jar successfully. But its not giving any
>security to it.


You might want to examine the jar with Winzip to make sure all the
pieces you expected are really in there.

See http://mindprod.com/jgloss/jar.html
http://mindprod.com/jgloss/jarsignerexe.html

--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      12-19-2007
(E-Mail Removed) wrote:
>> (E-Mail Removed) wrote:

...
>I am running my application as a standalone app. How can i restrict
>this using web start.


After posting that comment, I realised that would be pointless.
If someone 'wraps up' an application in webstart, it is trivial to
'unwrap it' and use it as a plain application again.

>Can u plz suggest me?


Can you please spell words properly? This is not some
SMS/text message where we need to restrict the message
to just '90 characters'.

>What about the jobfuscate? ..


I have never used obfuscators. From what I hear, they
are good for compressing bytecodes, and they make
an app. a little harder to reverse engineer, but not
impossible.

What does this application do? Can the critical parts of
the application be moved to a server?

--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.asp...neral/200712/1

 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      12-20-2007
On Tue, 18 Dec 2007 02:15:58 -0800 (PST), (E-Mail Removed)
wrote, quoted or indirectly quoted someone who said :

>Is it possible to restrict the modification in the signed jar file.
>and also my requirement is not to allow the application to run with
>new jar.


What do you mean by that.? Signing means nobody else can modify your
jar without losing your signature. What else do you need?
--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
 
Reply With Quote
 
srinivas.veeranki@gmail.com
Guest
Posts: n/a
 
      12-28-2007
On Dec 20, 1:41*pm, Roedy Green <(E-Mail Removed)>
wrote:
> On Tue, 18 Dec 2007 02:15:58 -0800 (PST), (E-Mail Removed)
> wrote, quoted or indirectly quoted someone who said :
>
> >Is it possible to restrict the modification in the signed jar file.
> >and also my requirement is not to allow the application to run with
> >new jar.

>
> What do you mean by that.? *Signing means nobody else can modify your
> jar without losing your signature. What else do you need?
> --
> Roedy Green Canadian Mind Products
> The Java Glossaryhttp://mindprod.com


Hi,

My actual requirement is to restrict the decompiler process. I
signed the jar, but Im able to decompile the .class file and and I can
generate the .java file. I wanna restrict this process. If I use the
Jobfuscate I ll achieve my requirement. But Im unable to generate the
jar file even I set the classpath before executing the jobfoscate
command.

I generated the jar file using the build.xml. can i apply jobfuscate
command to that generated jar file which contains the main method
class. This is the client side jar only.

Is it possible to include jobfoscate command in the build.xml.

Thanks in advance..

Srinivas.

 
Reply With Quote
 
EJP
Guest
Posts: n/a
 
      12-30-2007
Roedy Green wrote:
> Signing means nobody else can modify your
> jar without losing your signature.


That's not quite right. Your original signature will remain, but it will
no longer correspond with the signature generated at verification time
for any changed files. So the verification step will fail.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
java -cp a.jar -jar b.jar => Works on Windows, not on Debian cyberco Java 4 02-14-2006 06:27 AM
jaas.jar, jta.jar jdbc-stdext.jar missing from jdk1.5 RPM muttley Java 0 10-20-2005 02:40 PM
Differences of xercesImpl.jar, xercesImpl-J.jar, dom3-xercesImpl.jar ? Arnold Peters Java 0 01-05-2005 10:59 PM
Differences of xercesImpl.jar, xercesImpl-J.jar, dom3-xercesImpl.jar ? Arnold Peters XML 0 01-05-2005 10:59 PM
signing jar many times? Peter Java 1 03-04-2004 09:35 AM



Advertisments