13

The Class<?> class has a method public Object[] getSigners() whose JavaDoc is not so helpful in explaining what the method does; calling it on a couple of classes returned null for me.

Google only returned information about security exceptions, which did not mention about the signers of a class; I have seen there about this exceptions occurring when the same classes are loaded from multiple jars.

What exactly does the signer of a Java class represent? Is it some unique identifier provided by the JVM or by a tool when a Jar is signed?

There is tag for signer on StackOverflow but it's empty...

Mat
  • 202,337
  • 40
  • 393
  • 406
Random42
  • 8,989
  • 6
  • 55
  • 86
  • 2
    http://docs.oracle.com/javase/tutorial/security/toolsign/ – SLaks Jun 19 '13 at 17:56
  • 4
    That link doesn't explain what the `getSigners()` method does – BlackHatSamurai Jun 19 '13 at 18:00
  • Maybe try signing some code with that and see what it returns? – David Conrad Jun 19 '13 at 18:16
  • http://db.apache.org/derby/docs/10.3/devguide/cdevcsecure90988.html: *"Pass the array of certificates to the setSigners() method of java.lang.ClassLoader. This allows security managers to obtain the list of signers for a class (using java.lang.Class.getSigners) and then validate the identity of the signers using the services of a Public Key Infrastructure (PKI)."* – assylias Jun 19 '13 at 18:17
  • @DavidConrad I have said: "calling it on a couple of classes returned null for me." – Random42 Jun 19 '13 at 18:27
  • That is because the class was not signed yet. – Mitch Connor Jun 19 '13 at 20:25
  • It wasn't clear to me that the classes you called it on were signed; had you signed them? – David Conrad Jun 20 '13 at 16:51

1 Answers1

5

When you sign a .jar file in Java, the Toolsigner goes through it and recursively sign every file in the .jar. However, this is not limited to just one signer as you can sign a file with many different certificates. When you are verifying that a file is signed by the correct signer you can call the method getSigners() to return a list of all the signers who signed that class.

Mitch Connor
  • 766
  • 10
  • 19
  • And the only way to sign a class is by signing the .jar file using the toolsigner? – Random42 Jun 20 '13 at 07:28
  • Using a toolsigner is the only practical way that I know of. It is easy to use and there is absolutely no 'practical' reason not to use one. – Mitch Connor Jun 20 '13 at 12:30
  • 1
    And what exactly is a signer? It is some type of security token or key? – Random42 Jun 20 '13 at 12:33
  • The signer is the information about the certificates used to sign the code. You sign your code so that others will use it on their machine. If the code does anything malicious then there is a way to track down the producer of the code. – Mitch Connor Jun 20 '13 at 14:39
  • 1
    To which class each element of `getSigners()` output array can be typecast to (obviously, `Object` is not very useful)? Maybe it's `java.security.Signer` or `java.security.CodeSigner`? – John McClane Nov 22 '18 at 18:40