How To Verify Signed Jar

This is required when you are facing some issues with any server and not sure if any jars got corrupted or replaced something which is not authenticate.

To avoid this situations usually Application servers inbuilt jars comes with signs of the owner, so that at later part they can verify if the server jars are genuine or altered ones.

The bad thing about signed jars is that they load slower than unsigned jars as it’s CPU-bound, but sometimes noticed that it might cause a 100% increase in loading time. Also, patching is also tough as you have to re-sign the jar, class-patches are impossible (all classes in a single package must have the same signature source) but still if you need to check the integrity of the jars then you can follow below methods to verify.

– copy the jar to %JAVA_HOME%\bin folder
– Use following command to verify

 jarsigner -verify jar_name.jar

– If Jar is signed it will give following outputs:

verification success: jar verified.

If verification fails it will give the following output:

java.lang.SecurityException: .....

If Jar is not a signed:

jar is unsigned. (signatures missing or not able to parse)

On the other hand for a quick check you can also unzip the jar file and check whether there are any other files(.SF and .RSA extensions) available along with MANIFEST.MF file in META-INF directory, if available then you can conclude that these jars are signed jars.

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.