Verifying signed jar files programmatically

Similar Messages

• Is it possible to verify a signed jar-file from a program?

  Is it possible to verify a signed jar-file from a program
  (using some API) likewise jarsigner does?

  Is it possible to verify a signed jar-file from a
  program
  (using some API) likewise jarsigner does?Hi,
  You would have to open the jarfile, read each jar entry and for each of them do a getCertificates() and then in turn verify each certificate with the public key of the enclosed certificates in the jar file.
  An easier solution would be to use the verify flag of the JarFile or JarInputStream.
  Hope it helps..
  Cheers,
  Vijay

• Three questions about signed jar file and applet

  I use three signed jar file. Each of them signed by different certificate. First of JARs contain applet class. When I start applet from html page I see message “This applet was signed by…… but Java cannot verify it… Do you trust…?”. All times I press “Yes I trust” and after this questions applet stop to work end exit. If I use only one certificate for signing of three JARs then applet continue to work after question. 1) What should I do to fix this bug? 2) Is it any method to check from applet that user press Trust button? Is it any method to emulate work of SecurityManager to check that Certificate object is trusted (I want do call some method check(Certificate) and if certificate is not trusted I want to see message with question: “Do you want to trust this certificate” and so on)?

  Hello Jarman,
  1. If I have a signed jar file, then as long as the
  certificate is recognised as trusted that applet can
  run as a fully trusted application on the client
  machine. So I should not have to add lines such as
  permission java.lang.RuntimePermission
  "readFileDescriptor", "read" ;
  permission java.lang.RuntimePermission
  "writeFileDescriptor", "write" ;
  to my java.policy file. true/false ?true
  2. If I am running a signed jar file in the Java
  plugin then I do not need to have a verisign or thawte
  certificate (however to allow my certificate to be
  accepted I do have to import it into the cacerts file
  on the client machine). True/false?true
  3. Following on from question 2, if I want to be able
  to run an applet on a client machine, without messing
  around with ANY files on those machines, I need a
  verisign or thawte certificate. True/false?true
  4. (And finally) Apart from a security exception
  saying that I need to add one of the lines like those
  of question 1, is there any way I can get other debug
  information as to why the signed jar file is not being
  recognised as signed?No. This could be a problem of importing your certifcate into the wrong place.
  The information on the following link is a little bit dated but it helped me to successfully install a testcertificate and sign an applet with it.
  http://www.suitable.com/Doc_CodeSigning.shtml

• Verify modified jar files

  Hi all,
  I would like to address a few issues that I have with signed jar files.
  1. I have signed a jar file and am still able to open and change in WinZip. Can I encrypt it so that the contents are not visible in WinZip. If I have an XML or a Text file. I can still change it in WinZip and after I verify it, it verifies successfully, even though the file structure and time-stamp changed.
  Web Start does not recognize the change in the time-stamp because the time on the client is newer than the timestamp of the jar file on the server and hence It does not update.
  Any ones thoughs?
  Thank you
  Sameer Jaffer

  1. I have signed a jar file and am still able to open
  and change in WinZip.Which is correct behaviour.
  A signed jar is a jar which comes with a list of signatures for
  its entries.
  The META-INF/MANIFEST.MF lists entries plus their cryptographic hash number.
  The idea is not to hide content, but to show that the contents are authentic, by providing others a means to calculate and compare cryptographic hash numbers.
  Can I encrypt it so that the
  contents are not visible in WinZip. If I have an XML
  or a Text file. I can still change it in WinZip and
  after I verify it, it verifies successfully, This is strange. I guess that xml or test file doesn't show up in the manifest.
  It should look like this:
  Manifest-Version: 1.0
  Main-Class: com.foo.bar
  Created-By: 1.3.0 (IBM Corporation)
  Name: org/w3c/dom/html/HTMLDivElement.class
  SHA1-Digest: KEGYSI2N6pAlc/5X7uVJu8JgEz0=
  Name: com/klg/jclass/util/swing/icons/JCBraceIcon32.gif
  SHA1-Digest: WPiVbRyUePXzwDmBwRJVAsrN6Qo=
  Because you should have provided a new hash once you changed the entry.
  Otherwise Web Start, when verifying the entries (which means it calculates its own hash numbers of the jar entries and then compares them to the hash number listed in the manifest) should complain.
  Regards,
  Marc

• Verifying signed Jar using Java code

  Hi,
  I have been looking for a way to verify signed or unsigned jar from java code.
  I have to use the jar name and from here, I have to verify the digital signature. For this goal I have found some Java classes which can be useful for me. These classes would be JarEntry class, from which I could get the certificates. Signature class, whose methods let me verify the digital signatures, and Certificate class. I also found a class called SignedObject from I could get the signature data which the method getSignature (), but the problem here it is that I need a private key in the SignedObject constructor, which is not possible since I want to verify a signed jar which I am not able to know the private key, just public key. So, could anybody tell me how I could solve this problem?
  My code would be some as shown below:
  jar = new JarEntry (location);
            jarcertificates = jar.getCertificates();
            /* We should check all the certificates
            if (jarcertificates != null){
                 for (int i=0;i<jarcertificates.length;i++){
                      sig.initVerify(jarcertificates);
                      sig.update(jar.getExtra());
                      sig.verify( DIGITAL SIGNATURE FROM JAR SHOULD BE HERE);
  I guess that I have to use jar.getExtra () in order to get the data to put in Signature.update() method but I am not sure, am I wrong?
  Thanks in advance

  Here is some sample code to verify a jar file:
          JarFile jf = new JarFile(args[0], true);
          byte[] buffer = new byte[8192];
          Enumeration e = jf.entries();
          ArrayList entries = new ArrayList();
          while (e.hasMoreElements()) {
              JarEntry je = (JarEntry) e.nextElement();
              entries.add(je);
              InputStream is = jf.getInputStream(je);
              while (is.read(buffer, 0, buffer.length) != -1) {
                  // we just read. this will throw a SecurityException
                  // if  a signature/digest check fails.
              is.close();
          }To validate the certificate chain, you can call JarEntry.getCertificates(), create a CertPath from the array of Certificates (using a CertificateFactory), and then use the CertPathValidator APIs. For more information, see the PKI Programmer's guide: http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html

• URLClassLoader + dynamically loading signed jar files

  I have an applet that does not know all of the jar files it will need to load at startup.
  I would like to dynamically load these signed jar files using the URLClassLoader, however it does not recognize these jar files as being signed and I get java.security.AccessControlException: access denied errors.
  Any suggestions?
  Thanks!

  Try this classloader for loading the jars, it should to the trick:
  import java.net.URL;
  import java.net.URLClassLoader;
  import java.net.URLStreamHandlerFactory;
  import java.security.AllPermission;
  import java.security.CodeSource;
  import java.security.PermissionCollection;
  import java.security.Permissions;
  public class AllPermissionsClassLoader extends URLClassLoader {
      public AllPermissionsClassLoader (URL[] urls) {
          super(urls);
      public AllPermissionsClassLoader (URL[] urls, ClassLoader parent) {
          super(urls, parent);
          System.out.println(parent);
      public AllPermissionsClassLoader (URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory) {
          super(urls, parent, factory);
      protected PermissionCollection getPermissions (CodeSource codesource) {
          Permissions permissions = new Permissions();
          permissions.add(new AllPermission());
          return permissions;
  }

• How can i add update signed jar file

  I am developing an applet which requires signing to run in a browser.
  I am developing supporting classes. But these class files have to be added
  to the jar. Isnt it??
  But to test the applet i need to load it in the browser each time i modify the class files. So the jar file need to be updated every time. But an
  IOError
  is being displayed when i try to update the signed jar file.
  How can i update signed jar file?? Or is there any othe way to test the signed applet during development??

  How can i update signed jar file?You can't, the signature is there to make sure the content of the jare hasn't been messed
  with.
  Either recreate the jar and re sign it or set up a policy during testing.

• Creating JAR files programmatically

  I am trying to create JAR files programmatically using the java.util.zip and java.util.jar APIs. I am starting with just a set of directories containing .class files. I can seem to make the JAR but if I try to use any of the classes in it they don't work. But, if I unzip the JAR using WinZip, the classes are usable. So I am somehow building the JAR file incorrectly. Does anyone have any ideas or suggestions? The code is pretty long so I won't post it yet but I can send it to you if you'd like to see it. Contact by email if you'd like to see the code. Thanks.

  What paths are you encoding? Here are a couple of rules:
  1 - All paths are '/' separated, and do not begin with a '/'.
  2 - All paths are relative (see 1) and contain the exact package name of the class, plus the class.
  E.G., the class java.lang.Object would look like this in your jar:
  java/lang/Object.classNothing more or less.

• Turning off jar cache causes classnotfound with signed jar files

  Hi,
  I have a problem with applet signed jars when the java cache is turned off.
  With the cache turned off, I get a class not found for the first class it attempts to use from the signed jar file from an applet.
  If I turn the jar caching on, all works perfectly with no other changes.
  Anyone have any ideas? This is java 6u16.
  Thanks

  jkc532 wrote:
  .. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? From your comprehensive investigation and report, it seems so to me.
  ..I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?Just after read the summary I was tired, so I have some understanding of the effort you have already invested in this (the 'wits' you have already spent). I think you should raise a bug report and seek Oracle's response.

• Verifying jar files programmatically

  I need to determine at run time if a jar has been signed with our certificate. All the classes I've looked at are Sun classes, or are inaccessable (JarVerifier). Does someone have some code that does this, preferrably without the sun classes? I'll take code with these classes, however.

  I got the same problem. And I have done some experiment. The code below it works. Note: in order to use the code direcctly, the last entry has to be class that has a certificate. You might try with a signed jar that have only one class inside. I am lazy to write for other cases.
     try {
        File file = new File(jarFilename);
        FileInputStream fileIs = new FileInputStream(file);
        boolean verify = true;
        JarInputStream jarIs =
              new java.util.jar.JarInputStream(fileIs, verify);
        JarEntry entry = null;
        JarEntry Entry = null;
        while ((entry = jarIs.getNextJarEntry()) != null ) {
           if (!entry.isDirectory()) {
              Entry = entry;
        Certificate[] certs = Entry.getCertificates();
        if(certs == null)
           System.out.println("The entry has no certificate.");
        else {
           System.out.println(Array.getLength(certs));
           for(int i = 0; i < Array.getLength(certs); i++)
              System.out.println(certs.toString());
  } catch (Exception e) {
  System.out.println("Something went wrong.");
  System.out.println(e.toString());
  The problem is that we need to read the jarIs until you reach the last entry before you getCertificates. I sounds stupid, isn't it.
  Enjoy your work.
  Nawa

• Problems with signed JAR files in JWS/JRE6 environment.

  Hello All,
  I'm encountering a problem running our desktop application as a Java Web Start deployment in a JRE 6 environment. There were never any problems when running the same application as a JWS deployment in JRE 1.4, or 5, environments. There are also currently no problems in a JRE 6 environment when running the application as a standard desktop application.
  The problem which I am having has nothing to do with launching the application. But for good measure, I verified the JNLP file with JaNeLA. A couple things we out of order, which I addressed to make JaNeLA happy, but my problem still persists. Here is my JNLP file (anonymized to protect the innocent):
  TS: 2010-10-18 17:04:46
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp codebase="$$codebase" href="$$name">
       <information>
            <title>Acme Desktop</title>
            <vendor>Acme Corporation</vendor>
            <homepage href="http://www.acme.com/"/>
            <description>Acme Client for Acme Server</description>
            <description kind="tooltip">Acme Client for Acme Server</description>
            <icon href="desktop.gif"/>
            <offline-allowed/>
       </information>
       <security>
            <all-permissions/>
       </security>
       <resources>
            <j2se version="1.5+"/>
            <jar href="acmedesktop.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/antlr-2.7.2.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/backport-util-concurrent.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-codec-1.3.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-httpclient.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-logging.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/acmeapi.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/HelpJavaDT.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/HelpJavaDT_es.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/jacorb.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/Multivalent.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/slf4j-api-1.5.6.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/slf4j-jdk14-1.5.6.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/snow.jar" download="lazy" version="8.00.01.00+"/>
            <jar href="lib/AcmeTMClient.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/xercesImpl.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/xml-apis.jar" download="eager" version="8.00.01.00+"/>
            <extension name="installer" href="desktopInstaller.jnlp" />
            <extension name="Java Help" href="help.jnlp"/>
            <property name="java.library.path" value="./lib"/>
            <property name="admin" value="false"/>
            <property name="webstart" value="true"/>          
            <!-- The following two lines are for SSO implementation only
            <property name="urladdress" value="http://localhost:8080/AcmeDesktop/servlet/AcmeServlet"/>
            <property name="cookiespec" value="RFC2109"/>
            -->          
       </resources>
       <resources os="Windows">
            <nativelib href="lib/jniWin32.jar" version="8.00.01.00+"/>
       </resources>
       <application-desc main-class="desktop"/>     
  </jnlp>-----
  When running as a JWS deployment, on JRE 6, the application will be functioning normally for a little while, and then suddenly the following exception is thrown, and the current operation fails because the class in question cannot be accessed:
  java.lang.SecurityException: class "acmeapi.communication.CDocImpl"'s signer information does not match signer information of other classes in the same package
       at java.lang.ClassLoader.checkCerts(ClassLoader.java:807)
       at java.lang.ClassLoader.preDefineClass(ClassLoader.java:488)
       at java.lang.ClassLoader.defineClassCond(ClassLoader.java:626)
       at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
       at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
       at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
       at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
       at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
       at com.sun.jnlp.JNLPClassLoader.findClass(JNLPClassLoader.java:288)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
       at acmeapi.common.CDoc.getAnnotationsInfo(CDoc.java:493)
       at acmedesktop.communication.CCommunicationManager.privateGetAnnotations(CCommunicationManager.java:1976)
       at acmedesktop.communication.CCommunicationManager.getAnnotations(CCommunicationManager.java:1828)
       at acmedesktop.annotations.CViewAnnotations.getAnnotations(CViewAnnotations.java:826)
       at acmedesktop.annotations.CViewAnnotations.createView(CViewAnnotations.java:583)
       at acmedesktop.annotations.CViewAnnotations.setData(CViewAnnotations.java:736)
       at acmedesktop.annotations.CViewAnnotations.init(CViewAnnotations.java:205)
       at acmedesktop.hitspanel.CHitsPanel.viewAnnotations(CHitsPanel.java:281)
       at acmedesktop.hitspanel.CHitsTab$3.mousePressed(CHitsTab.java:316)
       at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:263)
       at java.awt.Component.processMouseEvent(Component.java:6260)
       at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
       at java.awt.Component.processEvent(Component.java:6028)
       at java.awt.Container.processEvent(Container.java:2041)
       at java.awt.Component.dispatchEventImpl(Component.java:4630)
       at java.awt.Container.dispatchEventImpl(Container.java:2099)
       at java.awt.Component.dispatchEvent(Component.java:4460)
       at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4574)
       at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4235)
       at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
       at java.awt.Container.dispatchEventImpl(Container.java:2085)
       at java.awt.Window.dispatchEventImpl(Window.java:2478)
       at java.awt.Component.dispatchEvent(Component.java:4460)
       at java.awt.EventQueue.dispatchEvent(EventQueue.java:599)
       at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
       at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
       at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)-----
  The classes of our desktop product are contained within the 'acmedesktop' and 'acmeapi' packages. It requires access to the hard drive of the workstation, and therefore, all jar files included with the application are signed using the following ANT task when compiled:
  <signjar keystore="resources/codesigning/keystore.pfx" storetype="pkcs12" storepass="myPassword" alias="myAlias">
       <fileset dir="${jws_dist}/app" includes="*.jar"/>
       <fileset dir="${jws_dist}/app/lib" includes="*.jar" excludes="jhall__V${dt_version}.jar"/>
  </signjar>-----
  Therefore, all classes, within all jar files, are signed with the same certificate (with the exception of the JavaHelp libraries, which are already signed by Sun - but the class in question attempting to be loaded here is not contained within the JavaHelp jar file anyway). So, the point being, that the exception message stating that the "signer information of the acmeapi.communication.CDocImpl class doesn't match the signer information of other classes in the same package", is simply not correct. All classes within that jar file were signed using the same certificate.
  I downloaded the JRE 6 source from dev.java.net and picked through this issue with a debugger. The ClassLoader.checkCerts() method compares the certificate used to sign the current class which is attempting to be loaded, with the certificates which signed all other previously loaded classes within the same package. If they don't match, the exception above is thrown. What is causing the issue is when the checkCerts() method attempts to get the certificates which signed the currently loading class, null is returned. And obviously, comparing null, with an array of the certificates which signed the previously loaded classes, isn't going to match; therefore this exception is thrown.
  The checkCerts() method gets the certificates of the currently loading class by calling the java.security.CodeSource.getCertificates() method. Tracing deeper in the debugger, the CodeSource object ultimately gets the certificates from the 'signersRef' member variable of the com.sun.deploy.cache.CachedJarFile class. signerRef is a SoftReference object and can therefore be garbage collected at some point. If it has already been garbage collected, the CachedJarFile class will attempt to retrieve it again from the loaded cache entry by calling com.sun.deploy.cache.MemoryCache.getLoadedResource().
  The MemoryCache class maintains the cache entries to the jar files as MemoryCache.CachedResourceReference objects, which subclass WeakReference, and therefore these objects can be garbage collected as well. If the cache entries have also been garbage collected, this leaves the CachedJarFile class with no ability to repopulate the CachedJarFile.signerRef object. Therefore it is completely out of luck getting the certificates which signed the currently loading class, which ultimately causes the above exception.
  When the com.sun.deploy.cache.Cache class attempts to retrieve a cache entry using its getCacheEntry() method, it will attempt to get the entry from the MemoryCache class, if null is returned, it will recreate the cache entry and add it back to the MemoryCache. In contrast, when the CachedJarFile class attempts to get a cache entry from the MemoryCache class, if null is returned, it just gives up.
  (from com.sun.deploy.cache.CachedJarFile:244)
  private CacheEntry getCacheEntry() {
       /* if it was not created by Cache do not search for entry */
       if (resourceURL == null)
            return null;
       CacheEntry ce = (CacheEntry) MemoryCache.getLoadedResource(resourceURL);
       if (ce == null) {
            //This should not happen because CacheEntry should not get collected
            // before CachedJarFile is collected.
            Trace.println("Missing CacheEntry for " + resourceURL + "\n" + ce,
                 TraceLevel.CACHE);
       return ce;
  When debugging, code execution falls within the code block with the comment stating "This should not happen...", but it is happening in my case.
  On an interesting side note, using the jvisualvm.exe tool included with JDK 6, I was able to tell that it seems as though these objects are collected the first time that the JVM allocates more heap space, and then the issue will occur. If I set the initial heap size very large (using -Xms) this issue won't occur at all. But that is kind of a bad solution which I would rather not do, but it is interesting to note for the sake of troubleshooting this issue. The max heap size (-Xmx) is plenty big enough, so the issue is not that we are running out of memory here.
  Does anyone have any insight as to what could be causing this? I've searched, and found a couple threads with similar problems but with no clear solutions. It is not just one workstation either, it happens everywhere I deploy the app as a Java Web Start application in a JRE 6 environment. I have been using version 1.6.0_18 on XP, but it seems to happen on any update version of 1.6. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?
  Thank you
  Jake
  Edited by: jkc532 on Nov 12, 2010 10:35 AM

  jkc532 wrote:
  .. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? From your comprehensive investigation and report, it seems so to me.
  ..I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?Just after read the summary I was tired, so I have some understanding of the effort you have already invested in this (the 'wits' you have already spent). I think you should raise a bug report and seek Oracle's response.

• Unable to get jarsigner to sign jar file using pkcs11 smartcard

  I'm using a JDK jdk1.6.0_14 with a datakey smartcard with the below info in pkcs11.cfg file:
  name = DK330
  library = c:\windows\system32\dkck232.dll
  I have also configured the java.security file to include the security.provider.10=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg
  I have my environment set for the below to keep it simple as possible:
  JAVA_HOME=C:\Program Files\Java\jdk1.6.0_14
  CLASSPATH=C:\Program Files\Java\jdk1.6.0_14\lib
  PATH=C:\Program Files\Java\jdk1.6.0_14\bin;c:\windows;c:\windows\system32
  1) I am able to Confirm that the secret key is present in the keystore
  keytool -v -list -keystore NONE -storetype PKCS11 -storepass xxxxxx
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-DK330
  Your keystore contains 1 entry
  Alias name: CS.NOLSC.002's U.S. Government ID
  Entry type: PrivateKeyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=CS.NOLSC.002, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US, OU=PKI, OU=DoD, O=U.S. Government, C=US
  Issuer: CN=DOD CA-14, OU=PKI, OU=DoD, O=U.S. Government, C=US
  Serial number: 3e8e
  Valid from: Mon Feb 05 14:53:22 EST 2007 until: Thu Feb 04 14:53:22 EST 2010
  Certificate fingerprints:
  MD5: 9D:34:AF:D8:DE:18:15:78:D6:88:3D:37:83:FA:DC:E8
  SHA1: 8A:BB:39:D5:2B:45:F7:CE:A3:93:C5:71:5C:36:DC:FE:3F:B4:7D:9A
  Signature algorithm name: SHA1withRSA
  Version: 3
  Extensions:
  #1: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
  DigitalSignature etc
  2) When I try to sign the applet using the below commands I get the same errors:
  command 1:
  jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ${java.home}/lib/security/pkcs11.cfg sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"
  I get this error::
  jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
  command 2:
  jarsigner -verbose -keystore NONE -storetype PKCS11 -storepass xxxxxx sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
  I can also confirm the jar file that I'm trying to sign is unsigned using the below command without problem.
  C:\Program Files\Java\jdk1.6.0_14\bin>jarsigner -verify -verbose -certs -keystore NONE -storetype PKCS11 sfilechooser.jar
  Enter Passphrase for keystore:
  0 Wed Jul 08 09:36:06 EDT 2009 META-INF/
  71 Wed Jul 08 09:36:06 EDT 2009 META-INF/MANIFEST.MF
  4227 Tue Jun 09 09:56:20 EDT 2009 DirList.class
  0 Wed Jul 08 09:29:52 EDT 2009 FileChooserPackage/
  4728 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/DirUtil.class
  809 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTFileDialogThread.class
  765 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTSaveDialogThread.class
  819 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FileChooserBeanThread.class
  1015 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FormsDecoderException.class
  815 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$SaveFileChooserThread.class
  17198 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean.class
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar is unsigned. (signatures missing or not parsable)
  ======================================
  What could be my problem to get my applet signed? I'm at a loss.

  I found the problem.
  I was able to use jarsigner correctly after I backed off on the GemPlus driver version from v4.7.062 file name dkck232.dll to the previous version of dkck201.dll at v4.7.062.

• Verifying signed JARs is crap!

  I sign & verify my JARs with jarsigner. The jarsigner works well and the JARs are signed correctly.
  jarsigner -verify myjar.jarResult:
  jar verified.But I do not understand why my JARs were still verified when I delete a class file. Is there no checksum for the whole JAR. That's number one.
  I need a pure java solution to verify a JAR. That's number two.
  I tried e.g.
  //java.util.jar.JarFile(File file, boolean verify)
  java.util.jar.JarEntry(jar,true)and
  //java.util.jar.JarInputStream(InputStream in, boolean verify)
  java.util.jar.JarInputStream(in,true)but the verify flag doesn't show any difference. No SecurityException.
  Thanks for your help.
  greetz polyurethan
  Edited by: polyurethan on May 12, 2009 10:08 AM

  As I understood the jar file signing/checksum concept - a JAR file is just tampered if it got changed, not if a class file got deleted.

• Path  signing .jar files  in configuring webutil

  In the first section of the sign_webutil.bat file there are some remarks such as :
  'NAME
  REM sign_webutil.bat - Sample script to sign frmwebutil.jar and jacob.jar
  REM USAGE
  REM sign_webutil.bat <jar_file>
  REM jar_file : Path of the jar file to be signed.
  REM NOTES
  REM This script uses keytool and jarsigner utilities, which usually comes
  REM along with JDK in its bin directory. These two utilities must be
  REM available in the PATH for this script to work. Otherwise, signing
  REM will fail even though the script may show a successful signing.'
  Which is the PATH referenced in the remarks above? Is it the forms_path , forms_classpath in registry or somewhere else?
  Please define it .... , because the signing fails.

  You were right!!!
  I'm not sure what to write down in the formsweb.cfg (configuration file) , following the instructions on the on-line help of Developer Forms 10g , in step 9..
  The step 9 says...
  Because in this release the JACOB code is in an external Jar file and not incorporated into frmwebutil.jar, it needs to be downloaded. To do this, change the WebUtilArchive setting to read: webUtilArchive=/forms/webutil/frmwebutil.jar,/forms/webutil/jacob.jar
  The doudt is pointed to the fact that the frmwebutil.jar isn't in the ORACLE_HOME\forms\webutil path but it is ORACLE_HOME\forms\java path.
  Also , these paths referenced in webUtilArchive are physical paths in a Unix system or they are logical paths in a url?
  Simon

• Signed applet : problem signing jar files that are in build path

  Hello,
  I have a problem while trying to create an ftp applet.
  I use org.apache.commons.net.ftp and i build path for commons-net-1.1.4.jar and then i build my classes.
  When i create a jar file with my classes and after signing it, it works under eclipse but not on a web page.
  I had signed commons-net-1.1.4.jar before to build the path in eclipse but commons-net-1.1.4.jar is not in my jar file.
  What is the way to sign applet correctly even if some jar ressources are in eclipse build path.
  Thank you

  You were right!!!
  I'm not sure what to write down in the formsweb.cfg (configuration file) , following the instructions on the on-line help of Developer Forms 10g , in step 9..
  The step 9 says...
  Because in this release the JACOB code is in an external Jar file and not incorporated into frmwebutil.jar, it needs to be downloaded. To do this, change the WebUtilArchive setting to read: webUtilArchive=/forms/webutil/frmwebutil.jar,/forms/webutil/jacob.jar
  The doudt is pointed to the fact that the frmwebutil.jar isn't in the ORACLE_HOME\forms\webutil path but it is ORACLE_HOME\forms\java path.
  Also , these paths referenced in webUtilArchive are physical paths in a Unix system or they are logical paths in a url?
  Simon