Difference between revisions of "Signing jar files with jarsigner"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
Most of the information in this note can be found in the `help' section of the jarsigner and keytool utilities:
 
Most of the information in this note can be found in the `help' section of the jarsigner and keytool utilities:
  
<code>
+
<code>jarsigner --help</code>
jarsigner --help
+
  
keytool --help
+
<code>keytool --help</code>
</code>
+
  
 
== Criteria for Signature Validity ==
 
== Criteria for Signature Validity ==
 +
 +
The criteria of validity of a digital signature are the following:
 +
* No modification of the archive resources after the signature,
 +
* certificate not outdated (or not yet valid).
 +
 +
Moreover, the signer of the archive must be known, <i>i.e.</i> its public key certificate must be identified as trusted before the validation. Otherwise, any malicious third party can forge a similar certificate, potentially with the same signer name, and present a coherent signed archive.
 +
 +
Additional criteria of archive signature validity are defined in the context of the OSGi framework, that are specific to the deployment of components from third party repositories:
 +
* No resource removed from the archive after the signature,
 +
* No resource added from the archive after the signature,
 +
* The digital signature must immediately follow the Manifest file of the archive, to prevent caching malicious files.
 +
 +
This means that according to the security level you need, the Sun criteria of signature validity may not be sufficient.
  
  

Revision as of 12:36, 8 February 2007

Most of the information in this note can be found in the `help' section of the jarsigner and keytool utilities:

jarsigner --help

keytool --help

Contents

Criteria for Signature Validity

The criteria of validity of a digital signature are the following:

  • No modification of the archive resources after the signature,
  • certificate not outdated (or not yet valid).

Moreover, the signer of the archive must be known, i.e. its public key certificate must be identified as trusted before the validation. Otherwise, any malicious third party can forge a similar certificate, potentially with the same signer name, and present a coherent signed archive.

Additional criteria of archive signature validity are defined in the context of the OSGi framework, that are specific to the deployment of components from third party repositories:

  • No resource removed from the archive after the signature,
  • No resource added from the archive after the signature,
  • The digital signature must immediately follow the Manifest file of the archive, to prevent caching malicious files.

This means that according to the security level you need, the Sun criteria of signature validity may not be sufficient.


Use of the JarSigner Tool

Use of the Keytool Utility

References