I've signed my jar with a key that I generated using keytool. At runtime, how do I verify that the jar hasn't been modified?
The goal is to use the certificate information and verify that each class in the jar has not been modified since the jar was built. This is a runtime check so the jar containing the code could be anywhere on the user's file system.
The JarFile
class embeds the jar verifier. This code snippet verifies the signature of all entries in an archive :
JarFile jar = new JarFile("/path/to/myarchive.jar");
Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
JarEntry entry = entries.nextElement();
try {
jar.getInputStream(entry);
} catch (SecurityException se) {
/* Incorrect signature */
throw new Error("Signature verification failed", se);
}
}
Note that this code verifies the integrity of the jar but does not verifies the signature against a given key or certificate.