can we resign the already signed jars in java?

Question

I've a .jar file with an old signature and want to resign it with a new signature. Is it possible?

If it is possible: how to do it?

score 16 · Accepted Answer · answered Jan 29 '10 at 15:33

16

If the signature is not one you own, you would need to unjar the jar first.

Like so (assume unix, translate to dos otherwise):

jar xvf JarName.jar

rm -rf META-INF

jar cvf JarName.jar *

Now you need to run jarsigner to sign the jar

jarsigner -keystore /yourkeystoredirectory/mystore -storepass yourpass
      -keypass yourkeypasswd JarName.jar keyname

If you don't have a keystore, you can create one with keytool.

answered Jan 29 '10 at 15:33

Chris Kannon

5

"rm -rf META-INF" is an really bad idea. This delete important files like services directory too. – SkateScout May 28 '15 at 21:58

score 2 · Answer 2 · answered Jan 19 '17 at 08:29

Remove files with ".SF" or ".RSA" extension from the META-INF folder inside the jar.
Delete signing checksums from META-INF/MANIFEST.MF: each "Name" and "SHA1-Digest" fields should be deleted from META-INF/MANIFEST.MF.

A more comprehensive documentation can be found on the oracle documentation: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File (for example there can be ".DSA" files in the META-INF folder, and files beginning with "SIG-" )

score 1 · Answer 3 · answered Jan 29 '10 at 15:19

1

You can extract the class files and re-jar them with your signature

answered Jan 29 '10 at 15:19

Greg

3 Answers3