The JDK jarsigner always puts the manifest at the beginning of a JAR file; but the Netscape's signtool puts the manifest at the end of a JAR file. The current JarInputStream implementation cannot verify a jar file signed by Netscape' signtool since it doesn't even read the manifest in such a JAR file. JarFile can verify JAR files signed by Netscape's sihntool; but JarFile only works with files, not other kind of inputstreams. When you pass a JAR file signed by Netscape's signtool (e.g., /home/shliu/public_html/testJAR/getpropThawe.jar) to the TestJarInputStream, you get exceptions; but the TestJarFile does get the manifest from that JAR file. =========================== TestJarInputStream.java ================ import java.util.jar.*; import java.net.*; import java.io.*; public class TestJarInputStream { public static void main(String[] args) throws Exception { isJarSigned(new URL(args[0])); System.out.println("Okey:" + args[0]); } /* * Verify a jar file is signed by a signer with a certificate which can be * traced back to a trusted CA. */ private static void isJarSigned(URL jarURL) throws IOException { String jarURLString = jarURL.toString(); URLConnection connection = jarURL.openConnection(); JarInputStream jis = new JarInputStream(connection.getInputStream()); Manifest man = jis.getManifest(); if (man == null) throw new JarException(jarURL.toString() + " is not signed."); } } ============================= TestJarFile.java =================== import java.util.jar.*; import java.net.*; import java.io.*; public class TestJarFile { public static void main(String[] args) throws Exception { isJarSigned(args[0]); System.out.println("Okey:" + args[0]); } /* * Verify a jar file is signed by a signer with a certificate which can be * traced back to a trusted CA. */ private static void isJarSigned(String fName) throws IOException { JarFile jf = new JarFile(new File(fName)); Manifest man = jf.getManifest(); if (man == null) throw new JarException(fName + " is not signed."); } }
|