1

All,

Is there a good free Java utility that shows you the key that a JAR file was signed by?

I have a number of JAR files referenced in my application - I want to know which ones were signed by the same certificate.

Basically I want to know this as when I am running my JNLP file (hurray!) I am greeted with the message "JAR resources in the JNLP file are not signed by the same certificate".

I have looked at jar resources in jnlp are not signed by the same certificate

I have quite a few JARS so a utility would come in handy.

Edit

The main question is was there a tool that can show me which JARs were signed by which certificate. Unfortunately the jarsigner tool only tells me if they are signed or not - not by who/what.

Unfortunately I have still not found any tool as yet.

end Edit

Cheers,

Andez

Community
  • 1
  • 1
Andez
  • 5,588
  • 20
  • 75
  • 116

4 Answers4

3

The easiest is just to resign them all with your own key.

Thorbjørn Ravn Andersen
  • 73,784
  • 33
  • 194
  • 347
  • I was hoping my netbeans 7 would be doing this. I have generated a key and the project output indicates that it has signed all of the files with my key. However when I run my JNLP file, it begs to differ. – Andez Jun 21 '11 at 13:25
  • Consider enabling Java Console and set log level to trace. This allow you to see the debug messages that javaws gives while loading your application. – Thorbjørn Ravn Andersen Jun 21 '11 at 17:23
1

Did you take a look at jarsigner ?

Dimitri
  • 8,122
  • 19
  • 71
  • 128
  • Hi Dimitri. Yes that was the first thing I tried. However jarsigner -verify -certs myjarfile.jar did not give me real information. – Andez Jun 21 '11 at 13:08
1

This might be of help Signed Jar File.

Dave G
  • 9,639
  • 36
  • 41
0

The JDK tool JarSigner is probably that what you are searching for. You find it in the tools.jar. The sources are availible if you need a deeper understanding of the signing and verification process.

Also I think it should be possible to use jars with different certs. I didn't test it but perhaps it helps to do something like

...
<resources>
    <jar href="jarwithcert1.jar"/>
</resources>
<resources>
    <jar href="jarwithcert2.jar"/>
</resources>
...

or

...
<resources>
    <jar href="jarwithcert1.jar" part="one" />
    <jar href="jarwithcert2.jar" part="two" />
</resources>
...
alexvetter
  • 1,998
  • 2
  • 16
  • 42
  • @polyurethan - yes I read somewhere that you could do it. The post I saw was for http://stackoverflow.com/questions/430755/jar-resources-in-jnlp-are-not-signed-by-the-same-certificate. I have not tried this yet. But more a case of identifying at the minute thanks andez – Andez Jun 21 '11 at 13:10
  • @Andez What did you try? That what I answered or the other solution with an extra jnlp for the other jars? – alexvetter Jun 21 '11 at 14:24
  • @polyurethan - there is a 2 step process. I found it on http://webstartfaq.com/ You need to do it in 2 files. JavaHelp Sun Microsystems, Inc. Funnily enough it was the jh.jar file causing the problem. – Andez Jun 21 '11 at 14:53
  • I thought I did download a different jh.jar file from here before http://www.java2s.com/Code/Jar/JKL/Downloadjh2005jar.htm. This did not have the signing in. But my initial question was is there a tool for this. Might spend some time on some code I come across to do this and put it on web somewhere :-/ – Andez Jun 21 '11 at 14:55
  • Yeah, okay. But that's because I posted the link to the openjdk. There is the source of the JarVerifier. It should be possible to build a tiny tool for checking the certs of all jars. With the URLClassLoader you can get all jar you loaded. `URLClassLoader cl = (URLClassLoader) Thread.currentThread().getContextClassLoader(); URL[] urls = cl.getURLs(); for (URL url : urls) { System.out.println(url); }` – alexvetter Jun 21 '11 at 15:23