There are few changes to the Signature class itself between Java 1.1 and Java 2. In Java 1.1, there is no SignatureSpi class and the Signature class extends the Object class instead; the setParameter( ) method that requires an algorithm parameter spec does not exist in 1.1. In 1.1 and Java 2, version 1.2, the default security provider supports only DSA signatures; to get RSA signatures you must either install a third-party security provider or upgrade to 1.3. The SignedObject class is only available in Java 2.

There are significant changes to the way in which signed classes are handled between Java 1.1. and Java 2. In Java 1.1, there is no jarsigner tool; the equivalent tool is called javakey , and it creates signatures using the 1.1 identity scope (rather than a keystore). We will discuss this in Appendix C.

Since Java 1.1 does not have code sources, reading a signed jar file is also different. In fact, since the java.util.jar package does not exist in that release, the classes required to read a standard PKCS7 signature block are unavailable to us. More important, the security manager must handle signed classes differently: the class loader we presented here must be modified to associate the certificates with the class using the setSigners( ) method of the Class class, and the security manager must retrieve those certificates with the getSigners( ) method. In general, the security manager and the class loader must be more tightly-coupled ...