javakotlinjarsignerjar-signingjpackage

JAR signing stops someone from modifying a JAR, but what stops someone from swapping the JAR with their own that they've signed, or is unsigned?


I have a Java desktop application. I'm downloading and dynamically running JAR files. JAR signing protects me from someone modifying the JAR file that I've downloaded. How would I verify that my application only runs JARs that I've signed though?

Without ensuring that all JARs I'm running are signed by me, then isn't JAR signing still insecure for desktop use?


Solution

  • JAR signing is about verification by the one running the application that it hasn't been modified since it was signed. In addition, based on the certificate, you can check who signed it.

    It does not protect against modification by the one running the application: they can strip out the signature, or they can sign it themselves, and if you have code in your application to verify the signature, they can also replace that code to perform no verification or verify against their certificate.

    In other words, yes, you're right, it doesn't protect you from the scenario you have in mind. It is also not intended for that scenario (as in, it is not a form of DRM).

    Whether or not you consider it safe for desktop use is, again, up to the person/company running the application. They can configure their security policy in such way to accept only certain signing certificates.

    You may also want to read the Java tutorial Signing and Verifying JAR Files, especially the chapter Understanding Signing and Verification.