Signing and verifing an application

Hi
We have an application contained in a jar file. We need to sign the application so that user can be sure that the application has not been modified maliciously. This is a standard desktop application which will be run on a desktop pc. We sign our jar file with jarsigner and keytool to test it. when it works correctly we buy a "Sun Java Signing Digital ID" from www.verisign.com!
but now i have the problem that i need to check the jar if it's verified on every startup as first! It's to check if nobody has changed classes in the jar to avoid the registration, for example! how can i check on the startup if the jar is verified? must i run a special method in the security manager?
THANKS!

It makes no sense to verify the application with some code inside the application itself.
When the app is patched with malicious code, the code for verifying may be manipulated too.That is true. There is no guaranteed way except to have a secure application loader on the system already.
but it makes it difficulter for criminal persons, when
we check if the classes has been verifyed and check if
the sign is the right! if somebody wants to crack a
application and he is good, he can crack every
application(see winXP ;-)) but we can make it as
difficult as possible for the cracker! when the
complexity is bigger than the costs, most of the
cracker wount crack the application! it is impossible
to secure your application completely!I certainly understand the concern and I have read a fair amount on code signing and other security concerns, but frankly I wonder how ubiquitous this problem really is. Does this type of thing really happen?
There is already a built-in diffculty for a hacker to do this. Bob, the hacker, cannot just take any arbitrary data stream and inject or replace data into it except for the purposes of corrupting the stream to the point of making it not usable. Of course, Bob could simply replace the entire stream with his own application if he knows that the stream is an application originally (if it's an image, it makes no sense, as I'm not going to "execute" an image file, nor the OS, as it's going to open it based on file extension). So the only way for Bob to do anything useful is to first get a copy of the application, then decompile it and or profile it to see what it is and how it works and then spent time figuring out how he can change it to actually get it to do anything except not work.
There is a generally better way to handle this: MD5 or SHA digests for the application package. If you go to get any open source application these days (anything from Apache, as an example), you can get an MD5 sum for it to check against what to download. Of course, the user has to do this, but such is life.

Similar Messages

  • Signing and Organizing Forms Application...?

    I am using an iPad for our food ministry. I need an application that allows me to sign (and resize signature to fit on lines) forms, alphabetize forms by name or even address, and do this fast and easily. Does anyone know of an application that I could use? Please Help!

    I am using an iPad for our food ministry. I need an application that allows me to sign (and resize signature to fit on lines) forms, alphabetize forms by name or even address, and do this fast and easily. Does anyone know of an application that I could use? Please Help!

  • Sample code to sign and verify

    Hi,
    Those of you who might be following my threads will know that signing and verifying data is proving to be a big problem
    on my Java Card. I use JC 2.1.1
    Could anyone please post a simple code snippet that signs AND verifies data. Please post code that actually works on your card and is thus tested and proven.
    Thank you all very much for all your support and help.

    Hi,
    probably not the right forum for this type of questions. However, have a look here, maybe it helps: https://blogs.oracle.com/shay/entry/to_adf_or_oaf_or
    Frank

  • TS1702 I can't install and update any application, even for the free app the system ask me to sign in to the billing payment. Even though that I did sign, it still declined. Any one could help, please

    I can't install and update any application, even for the free app the system ask me to sign in to the billing payment. Even though that I did sign, it still declined. Any one could help, please

    All Apple iTunes Store accounts must have a valid form of payment set up. Even for free apps and updates. The Payment Declined message comes from your card issuer or payment source; Apple is just a pass-through for the message. You need to find out why your issuer is declining your card.

  • I have two apple id accounts ,when i used to update application it used to prompt a default id and if the application was downloaded using the other id i would cancel and it would prompt the other id but not any more .

    i have two apple id accounts ,when i used to update application it used to prompt a default id (the old one) and if the application was downloaded using the other id i would cancel and it would prompt the other id but not any more .
    it just prompt the old id which im not signed in with im signed in using the new id and when i cancel nothing happens and when i try to update applications separately  i have the same problem .
    im signed in using the new id
    the old one is my wife's so i can't delete it
    the problem happens  when i update all or  each application by its own
    using ios 5.0.1 on a iphone 3gs
    the applications are downloaded using both the new and old id's
    any help will be greatly appreciatedِ

    These are user-to-user forums, you are not talking to Apple here and they don't monitor these forums - I've asked the hosts to remove yout account ids from your post.
    In terms of combining accounts it's not currently possible to do so, nor to copy/transfer content from account to another.

  • My ipod is not working at all when i plug it into my laptop i get an itunes sign and below that plugin sign

    My ipod is not working at all when i plug it into my laptop i get an itunes sign and below that plugin sign also it says new software found however it first asks me to install the software disc which i dont have it with me now can you plz check for the same and reply asap...please thanks.

    The link I and Ingo provided included:
    1. Remove iTunes and related components from the Control Panel
    Use the Control Panel to uninstall iTunes and related software components in the following order and then restart your computer:
    iTunes
    QuickTime
    Apple Software Update
    Apple Mobile Device Support
    Bonjour
    Apple Application Support (iTunes 9 or later)
    Important: Uninstalling these components in a different order, or only uninstalling some of these components may have unintended affects.
    That is more than quicktime and iTunes.  Follow all the instruction in the link for removing and reinstalling the Apple software.

  • The volume up and down controls on my wireless keyboard show a no entry sign and do not respond when used...please help?

    The volume up and down controls on my wireless keyboard show a no entry sign and do not respond when used...please help?

    If you want to get a little more "exotic" you can try remapping the function keys.  I did a little google searching and the hits that looked promising are,
    Mapping volume and eject keys to 3rd-party keyboard Other Hardware
    Spark
    Spark is a powerful, and easy Shortcuts manager. With Spark you can create Hot Keys to launch applications and documents, execute AppleScript, control iTunes, and more...
    You can also export and import your Hot Keys library, or save it in HTML format to print it.
    Spark is free, so use it without moderation!

  • How do you change the color of the sign and fill text to the color blue

    How do you change the color of the sign and fill text to the color blue in a pdf document

    Is this using the "Fill & Sign" tab of https://cloud.acrobat.com/fillsign (for now text input is only black) or maybe using the Fill & Sign tool in Adobe Reader XI, or another application? 
    Thanks,
    Josh

  • I have 2 point security for AppleID. My iPhone 4S is listed as my trusted phone to text. No tel. no. is given. I am updating to iPhone 6Plus with same tel. no. Do I need to change anything for the sign in verification?

    I have 2 point security for AppleID. My iPhone 4S is listed as my trusted phone to text. No tel. no. is given. I am updating to iPhone 6Plus with same tel. no. Do I need to change anything for the sign in verification?

    Of course You can also add your iPhone telephone # as a trusted device.
    This way when you insert your SIM card into any phone, Apple will automatically recognize your cell phone # as a
    trusted device (may be handy if iphone breaks but you insert SIM card into another phone).
    HOWEVER:
    Having also your iPhone as a trusted device, is convenient if you travel and use a different SIM card
    at destination. This way you can still use the iphone for verification, even though you are using a different
    phone #.
    Regards

  • Euro-sign (and Greek) doesn't work even with nchar/nvarchar2

    This is something that has been blocking me for a few days now, and I'm running out of ideas.
    Basically, the problem can be summarised as follows:
    declare
        text nvarchar2(100) := 'Make €€€ fast!';
    begin
      dbms_output.put_line( text );
    end;And the output (both in SQL Developer and Toad) is:
    Make ¿¿¿ fast!See, I was under the impression that by using nchar and nvarchar2, you avoid the problems you get with character sets. What I need this for is to check (in PL/SQL) what the length of a string is in 7-bit units when converted to the GSM 03.38 character set. In that character set, there are 128 characters: mostly Latin characters, a couple of Greek characters that differ from the Latin ones, and some Scandinavian glyphs.
    Some 10 other characters, including square brackets and the euro sign, are escaped and take two 7-bit units. So, the above message takes 17 7-bit spaces.
    However, if I make a PL/SQL function that defines an nvarchar2(128) with the 128 standard characters and another nvarchar2(10) for the extended characters like the euro sign (the ones that take two 7-bit units), and I do an instr() for each character in the source string, the euro sign gets converted to an upside-down question mark, and because the delta (the first Greek character in the GSM 03.38 character set) also becomes an upside-down question mark, the function thinks that the euro sign is in fact a delta, and so assigns a length of 1.
    To try to solve it, I created a table with an nchar(1) for the character and a smallint for the number of units it occupies. The characters are entered correctly, and show as euro signs and Greek letters, but as soon as I do a query, I get the same problem again. The code for the function is below:
      function get_gsm_0338_length(
        text_content in nvarchar2
      ) return integer
      as
        v_offset integer;
        v_length integer := 0;
        v_char nchar(1);
      begin
        for i in 1..length(text_content)
        loop
          v_char := substr( text_content, i, 1 );
          select l
          into v_offset
          from gsm_0338_charset
          where ch = v_char;
          v_length := v_length + v_offset;
        end loop;
        return v_length;
        exception
          when no_data_found then
            return length(text_content) * 2;
      end get_gsm_0338_length;Does anybody have any idea how I can get this to work properly?
    Thanks,
    - Peter

    Well, the person there used a varchar2, whereas I'm using an nvarchar2. I understand that you need the right codepage and such between the client and the database if you use varchar2, which is exactly the reason why I used the nvarchar2.
    However, if I call the function from /Java/, it does work (I found out just now). But this doesn't explain why SQL Developer and Toad are being difficult, and I'm afraid that, because this function is part of a much bigger application, I'll run into the same problem.
    - Peter

  • Issue while Signing and Encrypting the PDF Document.

    Hello,
    I am developing one component in VC++(MFC) which signs and encrypts the pdf documents.
    When i sign and encrypt pdf document using my component, I am getting following error while opening the document in Adobe Acrobat
    Error during signature verification
    Unexpected byte range values defining scope of signed data.
    Details: The signature byte range is invalid
    But if i open that document in binary mode and calculate the byte range its looking correct.
    The Process for signing and encrypting the PDF document is as follows :
    1)Prepare the PDF document for signing (Add Annotation objects,n0,n2
    layers,create blank signature field,new xref section etc.)
    2)Encrypt the whole document(Password based encryption).
    3)Put the ByteRange values.
    4)Write the signature in blank signature field.
    If i just perform encryption(128 bit RC4 Algorithm) on the pdf document its working fine.Only after adding the signature objects i am getting above error.I think it means something is wrong in signature related objects,but i am not able to recognize the exact problem.
    So what can be the issue?
    Please Help
    Thanks in Advance
    Priyanka

    I am sending the Sample Files
    blank.pdf file is a original file
    http://www.2shared.com/file/4677649/3f341d92/blank.html
    step 1: I am adding Signing object(without data in Contents<> key) in
    blank.pdf file.
    Output File is Prepared-blank.pdf
    http://www.2shared.com/file/4677648/48332d04/Prepared-blank.html
    step 2: Sending Prepared-blank.pdf file for encryption.
    Output File is SignednEncrypted-blank.pdf which is Encrypted and Signed.
    http://www.2shared.com/file/4677647/d88c3095/SignednEncrypted-blank.html
    Password for opening SignednEncrypted-blank.pdf is : "a".
    Please help.
    Thanks.

  • Signing and Saving PDF

    My Adobe isn't letting me add a signature, and the document that I am downloading from my school's website has signature not allowed under properties. Tried to convert to word and then back to a PDF to change properties but it is still not allowing signatures without echosign. My prof needs to add his own signature and does not want to do it through echosign. Trying to get the document signed and saved as a PDF then sent to him. Any suggestions?

    Thank you for the answer and explanation.  Unfortunately I am still not sure the best solution.
    It is a business application for a city site. As a result the limit of 500 is obviously not going to work. Also for legal reasons they need the form physically signed.
    The original hope was to provide a PDF form that could be filled in (almost entirely) on the computer if desire and then printed, signed, and turned in to the city.
    What they don't want is for someone to fill it out on the computer, use the echosign and email it as they need the physical signature.
    Sounds like we might have to choose between:
    - not having it interactive (so they can just print it out and fill it out)
    Or
    - make it so they can fill it out on the computer, but include instructions that they need the print it out and physically sign it. And hope they follow the instructions.
    Again, thank you for the explanation. I think I will just have to let them decide.

  • How to disable digital signing and saving of PDF form?

    I have a PDF form that I have created. It does not have a signature field becuase I need them to print and physically sign the form. However no matter what I do Adobe Reader offers the option to digitally sign the form (as well as save it). How do I disable this?? Thank you for the help in advance.

    Thank you for the answer and explanation.  Unfortunately I am still not sure the best solution.
    It is a business application for a city site. As a result the limit of 500 is obviously not going to work. Also for legal reasons they need the form physically signed.
    The original hope was to provide a PDF form that could be filled in (almost entirely) on the computer if desire and then printed, signed, and turned in to the city.
    What they don't want is for someone to fill it out on the computer, use the echosign and email it as they need the physical signature.
    Sounds like we might have to choose between:
    - not having it interactive (so they can just print it out and fill it out)
    Or
    - make it so they can fill it out on the computer, but include instructions that they need the print it out and physically sign it. And hope they follow the instructions.
    Again, thank you for the explanation. I think I will just have to let them decide.

  • How to generate single signature for code signing and timestamp

    Hi we are developing Win 7 VC++ app using Crypto APIs.
    Here code signing is done using Cryptsignhash() method, that generates the signature. Later for time stamping CryptRetriveTimestamp() method is used which also generate the time stamp signature. Thus we wanted to know
    whether there is any single Crypto API available that can do code signing and timestamping together and shall generate single signature. At verification side it should be also possible to separate code signing and timestamp signatures prior to verification.
    Any help is highly appreciated. Thanks.

    On 4/17/2015 1:21 AM, Babu12345 wrote:
    *Hi we are developing Win 7 VC++ app using Crypto APIs. *
    *Here code signing is done using Cryptsignhash() method, that generates the signature. Later for time stamping CryptRetriveTimestamp() method is used which also generate the time stamp signature. Thus we wanted to know whether there is any single Crypto API
    available that can do code signing and timestamping together and shall generate single signature.
    No. Normally, you don't counter-sign the actual data - you counter-sign and time stamp your signature. You don't want to transmit the whole data (which could be a) large and b) confidential) to a third party. This is why it's a two step process.
    Igor Tandetnik

  • Simple question involving data signing and encryption

    What is exactly mean by signing and encrypting data?
    And how would it apply to the case of a web browser..where I have to sign and encrypt data to and from a web browser? In this case it is an output and input stream.
    Does every byte have to be signed or just the starting bytes? Singing every byte would make the process slow and inefficient

    I know if you you sign and encrypt the data to the
    web browser, it will obviously not be recognized but
    this is my scenario:Your ASCII art didn't come across at all, I'm afraid - I'm not sure what you were going for, but I can't seem to recreate it. I think I can follow the explanation, though.
    P is the program i am developing. It is supposed to
    encrypt and sign data to and from the web browser.
    P1 get the web browser request, encrypts the data
    a and is supposed to sign the data...send it
    to P2 which decrypts and verifies the signing which
    then forwards it to the proxy or the server as seen.
    Vice versa from the server response.So you're working on a web-proxy that encrypts it's transmissions, and you want to add signature verification as well.
    My question still remains...how do you sign a stream?I answered your question, actually. You don't sign "streams" - you sign "messages". In your case, you sign the entire transmission, and then you transmit it.
    Right now I am using RSA keys to send a symmetric key
    across safely for the decryption etc I have the
    encryption/decryption process covered and the browser
    works..but i didn't do signing of any sort...how to
    implement this..for every byte? Is signing necessary?Given your requirements, I have to ask - why are you re-creating SSL? If you have P1 and P2 talk SSL to each other, you get everything you've described here, including signing. I don't understand why you feel the need to recreate an existing protocol.
    Grant

Maybe you are looking for