Signing and verifing an application
Hi
We have an application contained in a jar file. We need to sign the application so that user can be sure that the application has not been modified maliciously. This is a standard desktop application which will be run on a desktop pc. We sign our jar file with jarsigner and keytool to test it. when it works correctly we buy a "Sun Java Signing Digital ID" from www.verisign.com!
but now i have the problem that i need to check the jar if it's verified on every startup as first! It's to check if nobody has changed classes in the jar to avoid the registration, for example! how can i check on the startup if the jar is verified? must i run a special method in the security manager?
THANKS!
It makes no sense to verify the application with some code inside the application itself.
When the app is patched with malicious code, the code for verifying may be manipulated too.That is true. There is no guaranteed way except to have a secure application loader on the system already.
but it makes it difficulter for criminal persons, when
we check if the classes has been verifyed and check if
the sign is the right! if somebody wants to crack a
application and he is good, he can crack every
application(see winXP ;-)) but we can make it as
difficult as possible for the cracker! when the
complexity is bigger than the costs, most of the
cracker wount crack the application! it is impossible
to secure your application completely!I certainly understand the concern and I have read a fair amount on code signing and other security concerns, but frankly I wonder how ubiquitous this problem really is. Does this type of thing really happen?
There is already a built-in diffculty for a hacker to do this. Bob, the hacker, cannot just take any arbitrary data stream and inject or replace data into it except for the purposes of corrupting the stream to the point of making it not usable. Of course, Bob could simply replace the entire stream with his own application if he knows that the stream is an application originally (if it's an image, it makes no sense, as I'm not going to "execute" an image file, nor the OS, as it's going to open it based on file extension). So the only way for Bob to do anything useful is to first get a copy of the application, then decompile it and or profile it to see what it is and how it works and then spent time figuring out how he can change it to actually get it to do anything except not work.
There is a generally better way to handle this: MD5 or SHA digests for the application package. If you go to get any open source application these days (anything from Apache, as an example), you can get an MD5 sum for it to check against what to download. Of course, the user has to do this, but such is life.
Similar Messages
-
Signing and Organizing Forms Application...?
I am using an iPad for our food ministry. I need an application that allows me to sign (and resize signature to fit on lines) forms, alphabetize forms by name or even address, and do this fast and easily. Does anyone know of an application that I could use? Please Help!
I am using an iPad for our food ministry. I need an application that allows me to sign (and resize signature to fit on lines) forms, alphabetize forms by name or even address, and do this fast and easily. Does anyone know of an application that I could use? Please Help!
-
Sample code to sign and verify
Hi,
Those of you who might be following my threads will know that signing and verifying data is proving to be a big problem
on my Java Card. I use JC 2.1.1
Could anyone please post a simple code snippet that signs AND verifies data. Please post code that actually works on your card and is thus tested and proven.
Thank you all very much for all your support and help.Hi,
probably not the right forum for this type of questions. However, have a look here, maybe it helps: https://blogs.oracle.com/shay/entry/to_adf_or_oaf_or
Frank -
I can't install and update any application, even for the free app the system ask me to sign in to the billing payment. Even though that I did sign, it still declined. Any one could help, please
All Apple iTunes Store accounts must have a valid form of payment set up. Even for free apps and updates. The Payment Declined message comes from your card issuer or payment source; Apple is just a pass-through for the message. You need to find out why your issuer is declining your card.
-
i have two apple id accounts ,when i used to update application it used to prompt a default id (the old one) and if the application was downloaded using the other id i would cancel and it would prompt the other id but not any more .
it just prompt the old id which im not signed in with im signed in using the new id and when i cancel nothing happens and when i try to update applications separately i have the same problem .
im signed in using the new id
the old one is my wife's so i can't delete it
the problem happens when i update all or each application by its own
using ios 5.0.1 on a iphone 3gs
the applications are downloaded using both the new and old id's
any help will be greatly appreciatedِThese are user-to-user forums, you are not talking to Apple here and they don't monitor these forums - I've asked the hosts to remove yout account ids from your post.
In terms of combining accounts it's not currently possible to do so, nor to copy/transfer content from account to another. -
My ipod is not working at all when i plug it into my laptop i get an itunes sign and below that plugin sign also it says new software found however it first asks me to install the software disc which i dont have it with me now can you plz check for the same and reply asap...please thanks.
The link I and Ingo provided included:
1. Remove iTunes and related components from the Control Panel
Use the Control Panel to uninstall iTunes and related software components in the following order and then restart your computer:
iTunes
QuickTime
Apple Software Update
Apple Mobile Device Support
Bonjour
Apple Application Support (iTunes 9 or later)
Important: Uninstalling these components in a different order, or only uninstalling some of these components may have unintended affects.
That is more than quicktime and iTunes. Follow all the instruction in the link for removing and reinstalling the Apple software. -
The volume up and down controls on my wireless keyboard show a no entry sign and do not respond when used...please help?
If you want to get a little more "exotic" you can try remapping the function keys. I did a little google searching and the hits that looked promising are,
Mapping volume and eject keys to 3rd-party keyboard Other Hardware
Spark
Spark is a powerful, and easy Shortcuts manager. With Spark you can create Hot Keys to launch applications and documents, execute AppleScript, control iTunes, and more...
You can also export and import your Hot Keys library, or save it in HTML format to print it.
Spark is free, so use it without moderation! -
How do you change the color of the sign and fill text to the color blue
How do you change the color of the sign and fill text to the color blue in a pdf document
Is this using the "Fill & Sign" tab of https://cloud.acrobat.com/fillsign (for now text input is only black) or maybe using the Fill & Sign tool in Adobe Reader XI, or another application?
Thanks,
Josh -
I have 2 point security for AppleID. My iPhone 4S is listed as my trusted phone to text. No tel. no. is given. I am updating to iPhone 6Plus with same tel. no. Do I need to change anything for the sign in verification?
Of course You can also add your iPhone telephone # as a trusted device.
This way when you insert your SIM card into any phone, Apple will automatically recognize your cell phone # as a
trusted device (may be handy if iphone breaks but you insert SIM card into another phone).
HOWEVER:
Having also your iPhone as a trusted device, is convenient if you travel and use a different SIM card
at destination. This way you can still use the iphone for verification, even though you are using a different
phone #.
Regards -
Euro-sign (and Greek) doesn't work even with nchar/nvarchar2
This is something that has been blocking me for a few days now, and I'm running out of ideas.
Basically, the problem can be summarised as follows:
declare
text nvarchar2(100) := 'Make €€€ fast!';
begin
dbms_output.put_line( text );
end;And the output (both in SQL Developer and Toad) is:
Make ¿¿¿ fast!See, I was under the impression that by using nchar and nvarchar2, you avoid the problems you get with character sets. What I need this for is to check (in PL/SQL) what the length of a string is in 7-bit units when converted to the GSM 03.38 character set. In that character set, there are 128 characters: mostly Latin characters, a couple of Greek characters that differ from the Latin ones, and some Scandinavian glyphs.
Some 10 other characters, including square brackets and the euro sign, are escaped and take two 7-bit units. So, the above message takes 17 7-bit spaces.
However, if I make a PL/SQL function that defines an nvarchar2(128) with the 128 standard characters and another nvarchar2(10) for the extended characters like the euro sign (the ones that take two 7-bit units), and I do an instr() for each character in the source string, the euro sign gets converted to an upside-down question mark, and because the delta (the first Greek character in the GSM 03.38 character set) also becomes an upside-down question mark, the function thinks that the euro sign is in fact a delta, and so assigns a length of 1.
To try to solve it, I created a table with an nchar(1) for the character and a smallint for the number of units it occupies. The characters are entered correctly, and show as euro signs and Greek letters, but as soon as I do a query, I get the same problem again. The code for the function is below:
function get_gsm_0338_length(
text_content in nvarchar2
) return integer
as
v_offset integer;
v_length integer := 0;
v_char nchar(1);
begin
for i in 1..length(text_content)
loop
v_char := substr( text_content, i, 1 );
select l
into v_offset
from gsm_0338_charset
where ch = v_char;
v_length := v_length + v_offset;
end loop;
return v_length;
exception
when no_data_found then
return length(text_content) * 2;
end get_gsm_0338_length;Does anybody have any idea how I can get this to work properly?
Thanks,
- PeterWell, the person there used a varchar2, whereas I'm using an nvarchar2. I understand that you need the right codepage and such between the client and the database if you use varchar2, which is exactly the reason why I used the nvarchar2.
However, if I call the function from /Java/, it does work (I found out just now). But this doesn't explain why SQL Developer and Toad are being difficult, and I'm afraid that, because this function is part of a much bigger application, I'll run into the same problem.
- Peter -
Issue while Signing and Encrypting the PDF Document.
Hello,
I am developing one component in VC++(MFC) which signs and encrypts the pdf documents.
When i sign and encrypt pdf document using my component, I am getting following error while opening the document in Adobe Acrobat
Error during signature verification
Unexpected byte range values defining scope of signed data.
Details: The signature byte range is invalid
But if i open that document in binary mode and calculate the byte range its looking correct.
The Process for signing and encrypting the PDF document is as follows :
1)Prepare the PDF document for signing (Add Annotation objects,n0,n2
layers,create blank signature field,new xref section etc.)
2)Encrypt the whole document(Password based encryption).
3)Put the ByteRange values.
4)Write the signature in blank signature field.
If i just perform encryption(128 bit RC4 Algorithm) on the pdf document its working fine.Only after adding the signature objects i am getting above error.I think it means something is wrong in signature related objects,but i am not able to recognize the exact problem.
So what can be the issue?
Please Help
Thanks in Advance
PriyankaI am sending the Sample Files
blank.pdf file is a original file
http://www.2shared.com/file/4677649/3f341d92/blank.html
step 1: I am adding Signing object(without data in Contents<> key) in
blank.pdf file.
Output File is Prepared-blank.pdf
http://www.2shared.com/file/4677648/48332d04/Prepared-blank.html
step 2: Sending Prepared-blank.pdf file for encryption.
Output File is SignednEncrypted-blank.pdf which is Encrypted and Signed.
http://www.2shared.com/file/4677647/d88c3095/SignednEncrypted-blank.html
Password for opening SignednEncrypted-blank.pdf is : "a".
Please help.
Thanks. -
My Adobe isn't letting me add a signature, and the document that I am downloading from my school's website has signature not allowed under properties. Tried to convert to word and then back to a PDF to change properties but it is still not allowing signatures without echosign. My prof needs to add his own signature and does not want to do it through echosign. Trying to get the document signed and saved as a PDF then sent to him. Any suggestions?
Thank you for the answer and explanation. Unfortunately I am still not sure the best solution.
It is a business application for a city site. As a result the limit of 500 is obviously not going to work. Also for legal reasons they need the form physically signed.
The original hope was to provide a PDF form that could be filled in (almost entirely) on the computer if desire and then printed, signed, and turned in to the city.
What they don't want is for someone to fill it out on the computer, use the echosign and email it as they need the physical signature.
Sounds like we might have to choose between:
- not having it interactive (so they can just print it out and fill it out)
Or
- make it so they can fill it out on the computer, but include instructions that they need the print it out and physically sign it. And hope they follow the instructions.
Again, thank you for the explanation. I think I will just have to let them decide. -
How to disable digital signing and saving of PDF form?
I have a PDF form that I have created. It does not have a signature field becuase I need them to print and physically sign the form. However no matter what I do Adobe Reader offers the option to digitally sign the form (as well as save it). How do I disable this?? Thank you for the help in advance.
Thank you for the answer and explanation. Unfortunately I am still not sure the best solution.
It is a business application for a city site. As a result the limit of 500 is obviously not going to work. Also for legal reasons they need the form physically signed.
The original hope was to provide a PDF form that could be filled in (almost entirely) on the computer if desire and then printed, signed, and turned in to the city.
What they don't want is for someone to fill it out on the computer, use the echosign and email it as they need the physical signature.
Sounds like we might have to choose between:
- not having it interactive (so they can just print it out and fill it out)
Or
- make it so they can fill it out on the computer, but include instructions that they need the print it out and physically sign it. And hope they follow the instructions.
Again, thank you for the explanation. I think I will just have to let them decide. -
How to generate single signature for code signing and timestamp
Hi we are developing Win 7 VC++ app using Crypto APIs.
Here code signing is done using Cryptsignhash() method, that generates the signature. Later for time stamping CryptRetriveTimestamp() method is used which also generate the time stamp signature. Thus we wanted to know
whether there is any single Crypto API available that can do code signing and timestamping together and shall generate single signature. At verification side it should be also possible to separate code signing and timestamp signatures prior to verification.
Any help is highly appreciated. Thanks.On 4/17/2015 1:21 AM, Babu12345 wrote:
*Hi we are developing Win 7 VC++ app using Crypto APIs. *
*Here code signing is done using Cryptsignhash() method, that generates the signature. Later for time stamping CryptRetriveTimestamp() method is used which also generate the time stamp signature. Thus we wanted to know whether there is any single Crypto API
available that can do code signing and timestamping together and shall generate single signature.
No. Normally, you don't counter-sign the actual data - you counter-sign and time stamp your signature. You don't want to transmit the whole data (which could be a) large and b) confidential) to a third party. This is why it's a two step process.
Igor Tandetnik -
Simple question involving data signing and encryption
What is exactly mean by signing and encrypting data?
And how would it apply to the case of a web browser..where I have to sign and encrypt data to and from a web browser? In this case it is an output and input stream.
Does every byte have to be signed or just the starting bytes? Singing every byte would make the process slow and inefficientI know if you you sign and encrypt the data to the
web browser, it will obviously not be recognized but
this is my scenario:Your ASCII art didn't come across at all, I'm afraid - I'm not sure what you were going for, but I can't seem to recreate it. I think I can follow the explanation, though.
P is the program i am developing. It is supposed to
encrypt and sign data to and from the web browser.
P1 get the web browser request, encrypts the data
a and is supposed to sign the data...send it
to P2 which decrypts and verifies the signing which
then forwards it to the proxy or the server as seen.
Vice versa from the server response.So you're working on a web-proxy that encrypts it's transmissions, and you want to add signature verification as well.
My question still remains...how do you sign a stream?I answered your question, actually. You don't sign "streams" - you sign "messages". In your case, you sign the entire transmission, and then you transmit it.
Right now I am using RSA keys to send a symmetric key
across safely for the decryption etc I have the
encryption/decryption process covered and the browser
works..but i didn't do signing of any sort...how to
implement this..for every byte? Is signing necessary?Given your requirements, I have to ask - why are you re-creating SSL? If you have P1 and P2 talk SSL to each other, you get everything you've described here, including signing. I don't understand why you feel the need to recreate an existing protocol.
Grant
Maybe you are looking for
-
Stock in transit report with delivery # and date included
I need a report similar to MB5T that will also show the delivery number and goods issue date. I couldn't find anything standard and was going to ask an ABAPer to create something. When researching where stock in transit is stored, I keep finding th
-
Can't view photos in iPhoto, but they are in my last imported photos
Hello, I have been able to upload photos from my camera onto my iphoto and view them as normal and create events. I've uploaded some more but now they are just coming up in my last imports and i cannot view them as there is a caution symbol with an e
-
TS4510 My Do Not Disturb feature is still not working...anybody else?
January 8, and Do Not Disturb is still not working. Any tips, info, etc.?
-
Problem with USB port on X6 docking station and X60 laptop
Hello all, One of my users is having a problem that when she undocks the X60 laptop from the X6 docking station and then re-docks it later, the devices connected to the USB ports on the X6 docking station are no longer recognized. Even after repe
-
firefox says crossrider wont allow me to download google+facebook on my sony experia arc android mobile device.