The next tool we’ll look at
jarsigner tool; this tool creates signed
JAR files. The
jarsigner tool uses the
information in a keystore to look up information about a particular
entity and uses that information either to sign or to verify a JAR
file. As we discussed in the section on
the keystore that
jarsigner uses is subject to
KeyStore class that has been installed into
the virtual machine; if you have your own keystore implementation,
jarsigner will be able to
use it. Similarly, if you use the standard keystore implementation,
but hold the keys in a file other than the default
jarsigner will allow you to
use that other file as well.
A signed JAR file is identical to a standard JAR file except that a signed JAR file contains two additional entries:
SIGNER.SF —A file containing an SHA message digest for each class file in the archive. The digest is calculated from the three lines in the manifest for the class file. The base of this name (SIGNER) varies; it is typically based upon the alias of the keystore entry used to sign the archive.
SIGNER.DSA —A file containing the digital signature of the .SF file. The base of this name matches the first part of the .SF file; the extension is the algorithm used to generate the signature. This file also contains the certificate of the entity that signed the archive.
The algorithm used to generate the signature depends upon the type of the key found in the keystore: if the key is a X509 ...