Securely signing JAR artefacts
Signing an archive will place a digital signature into the
META-INF folder of that archive. A digital signature is generated based on the exact set of data in the archive, using an entity's private key.
There are many potential reasons to sign an archive:
- Used in the runtime environment to support assertions of who signed the code
- Used in the runtime environment to ensure that the byte-code being executed and other resources being used match what existed at the time of the signature generation
- Used in a download situation to ensure that the downloaded archive contains what was signed by an expected party
- Used in a diagnostic or forensic process to ensure that the deployed code matches what was signed at the time of being ...