jar signing

[srinivas.veeranki]

Hi All,

I made the jar signer using the following commands in the build.xml
<!-- For Signed Jars -->
<property name="alias" value="pluginsigner"/>
<property name="storepass" value="gis123"/>

And

<target name="sign" description="To sign the jars..." depends = "jar">
<signjar jar="${basedir}\DcvBuild\dcvclient.jar" alias="${alias}"
storepass="${storepass}"/>
</target>

It generates the signed jar successfully. But its not giving any
security to it. By using the decompiler I generated the jad file and
modified and saved that file as .java and recompiled generated source
file. I replaced the old .class file with new .class file. and made
the jar file. I replaced the old jar(signed) with new jar file. I am
to run my application with new jar file.

Is it possible to restrict the modification in the signed jar file.
and also my requirement is not to allow the application to run with
new jar. Is it possible.

Can you please suggest me. Thanks in advance...

Regards,

Srinivas.

 

[Andrew Thompson]

It generates the signed jar successfully. But its not giving any
security to it. ...

1) Signing a jar does not inherently 'give security' to it.
A signed applet will prompt the user to allow full permissions,
but they can always refuse. A signed web start app. will
only get extra permissions if it requests them by specifying
j2ee-application-client-permissions or all-permissions
in the JNLP file (and the user agrees). A regular app.
does not have a security manager, and code signing
will not be checked.
2) So, are you running this as a standard application?
If that is the case, you might get the effect you want by
launching it using web start, which I presume would notice
the changed code, the invalid signature, and reject it.

BTW - did you run the code signing tools 'information mode'
on the second jar, to ask if it was correctly signed?

 

[Andrew Thompson]

... ...
BTW - did you run the code signing tools 'information mode'
on the second jar, to ask if it was correctly signed?

Ahh yes, there it is.
jarsigner -verify [ options ] jar-file
<http://java.sun.com/javase/6/docs/technotes/tools/windows/jarsigner.html#Options
--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1

 

[srinivas.veeranki]

(e-mail address removed) wrote:

..


1) Signing a jar does not inherently 'give security' to it.
A signed applet will prompt the user to allow full permissions,
but they can always refuse. A signed web start app. will
only get extra permissions if it requests them by specifying
j2ee-application-client-permissions or all-permissions
in the JNLP file (and the user agrees). A regular app.
does not have a security manager, and code signing
will not be checked.
2) So, are you running this as a standard application?
If that is the case, you might get the effect you want by
launching it using web start, which I presume would notice
the changed code, the invalid signature, and reject it.

BTW - did you run the code signing tools 'information mode'
on the second jar, to ask if it was correctly signed?

Hi,

I am running my application as a standalone app. How can i restrict
this using web start.

Can u plz suggest me?

What about the jobfuscate? Is it works for this. I tried with this but
but its not generating output jar. I am unable to process any files
using jobfuscate eventhought I set classpath.

Regards,
Srinivas.

 

[Roedy Green]

Here is the ANT I use for a simple Jar build and sign.

<target name="jar" depends="compile">
<genjar jarfile="${jar.file}">
<!-- include main class and all its dependencies -->
<class name="${main.class}" />
<!-- define the manifest -->
<manifest>
<attribute name="Main-Class" value="${main.class}" />
</manifest>
</genjar>

<!-- S I G N -->
<!-- get _your_ password from set jarsignerpassword=sesame -->
<!-- get _your_ code-signing certificate from set
cert=mindprodcert2007aprdsa -->
<property environment="env" />
<signjar jar="${jar.file}"
alias="${env.cert}" storepass="${env.jarsignerpassword}" />
</target>

 

[Roedy Green]

It generates the signed jar successfully. But its not giving any
security to it.

You might want to examine the jar with Winzip to make sure all the
pieces you expected are really in there.

See http://mindprod.com/jgloss/jar.html
http://mindprod.com/jgloss/jarsignerexe.html

 

[Andrew Thompson]

...
I am running my application as a standalone app. How can i restrict
this using web start.

After posting that comment, I realised that would be pointless.
If someone 'wraps up' an application in webstart, it is trivial to
'unwrap it' and use it as a plain application again.

Can u plz suggest me?

Can you please spell words properly? This is not some
SMS/text message where we need to restrict the message
to just '90 characters'.

What about the jobfuscate? ..

I have never used obfuscators. From what I hear, they
are good for compressing bytecodes, and they make
an app. a little harder to reverse engineer, but not
impossible.

What does this application do? Can the critical parts of
the application be moved to a server?

--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1

 

[Roedy Green]

Is it possible to restrict the modification in the signed jar file.
and also my requirement is not to allow the application to run with
new jar.

What do you mean by that.? Signing means nobody else can modify your
jar without losing your signature. What else do you need?

 

[srinivas.veeranki]

What do you mean by that.?  Signing means nobody else can modify your
jar without losing your signature. What else do you need?

Hi,

My actual requirement is to restrict the decompiler process. I
signed the jar, but Im able to decompile the .class file and and I can
generate the .java file. I wanna restrict this process. If I use the
Jobfuscate I ll achieve my requirement. But Im unable to generate the
jar file even I set the classpath before executing the jobfoscate
command.

I generated the jar file using the build.xml. can i apply jobfuscate
command to that generated jar file which contains the main method
class. This is the client side jar only.

Is it possible to include jobfoscate command in the build.xml.

Thanks in advance..

Srinivas.

 

[EJP]

Signing means nobody else can modify your
jar without losing your signature.

That's not quite right. Your original signature will remain, but it will
no longer correspond with the signature generated at verification time
for any changed files. So the verification step will fail.

 

[Roedy Green]

My actual requirement is to restrict the decompiler process

see http://mindprod.com/jgloss/obfuscator.html

 

[Roedy Green]

jobfoscate
command.

I had never heard of jobfuscate before. I googled it.

http://www.duckware.com/jobfuscate/index.html

it is an obfuscator than seems to work on class files rather than
complete jars as is traditional. It renames class files.

I would just build the jar as before just using the renamed file.

see http://mindprod.com/jgloss/ant.html
http://mindprod.com/jgloss/jarexe.html
http://mindprod.com/jgloss/jarsigner.html

 

[Roedy Green]

That's not quite right. Your original signature will remain, but it will
no longer correspond with the signature generated at verification time
for any changed files. So the verification step will fail.

In other words the jar will no longer be signed.

Using an analogy, digitally signing is like sealing with sealing wax
and your signet ring. If somebody tampers, the wax seal will be
broken.

The term "sealing" is often used in computing still to mean some way
of freezing a collection from changes.

 

[Roedy Green]

The term "sealing" is often used in computing still to mean some way
of freezing a collection from changes.

see http://mindprod.com/jgloss/seal.html

 

[EJP]

In other words the jar will no longer be signed.

No, in other words the signature will no longer be *valid*.