Using the JarFile class I can verify that a jar file has been signed. But, based on my reading of the API docs and the jarsigner docs, I do not see a way to verify the signer. In other words, I can verify that the jar has not been modified since it was signed, but it seems that it could have been signed by anyone using any key.
Wouldn't verification pass if an attacker modified the jar and then signed it with his own key?
This seems like 开发者_Go百科a fundamental principle to exclude from the documentation - so I suspect I am missing some background knowledge somewhere. What am I missing?
What you have done is verified the jar has not been changed you have not seen if you trust the signer. That step requires you to inspect the certificate. Take a peek at Verification with Certificate Information section on the jarsigner page.
jarsigner -keystore /working/mystore -verify -verbose -certs myTest.jar
This should verify the jar and inspect/validate the signers certificate chain according to your trusted certs in your keystore.
Web browsers do this automatically by looking at the cacerts file in the lib/security folder that comes with the JRE which stores a list of well known and trusted CAs.
In my case I want to verify that the signer is who I expect it to be.
How about this?
Given that I know the public key of the expected signer. I came up with this bit of code:
public boolean isSignedBy(JarEntry entry, X509Certificate requiredSigner) {
PublicKey requiredPublicKey = requiredSigner.getPublicKey();
for (Certificate cert : entry.getCertificates()) {
if (requiredPublicKey.equals(cert.getPublicKey())) {
return true;
}
}
return false;
}
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论