46

Why should I sign my JAR files?

I know that I need to sign my client-side JAR files (containing Applets) so that special things like filesystem access can be done, and so that the annoying bit at the bottom of windows doesn't show, but why else? And do I need to sign my server-side JAR files containing Servlets, etc.?

Some basic rules for when and when not to sign JARs would be appreciated - thanks!

Roman C
  • 49,761
  • 33
  • 66
  • 176
Chris Carruthers
  • 3,945
  • 6
  • 31
  • 31
  • duplicate of http://stackoverflow.com/questions/3327020/whats-the-point-of-signing-code-like-jars ? – Dan Jan 21 '12 at 16:51

4 Answers4

42

The short answer - don't, unless your company policy forces you to.

The long answer
Signing jars is effectively telling your customer "I made this, and I guarantee it won't mess up your system. If it does, come to me for retribution". This is why signed jars in client-side solution deployed from remote servers (applets / webstart) enjoy higher privileges than non-signed solutions do.

On server-side solutions, where you don't have to to placate the JVM security demands, this guarantee is only for your customer peace of mind.
The bad thing about signed jars is that they load slower than unsigned jars. How much slower? it's CPU-bound, but I've noticed more than a 100% increase in loading time. Also, patches are harder (you have to re-sign the jar), class-patches are impossible (all classes in a single package must have the same signature source) and splitting jars becomes a chore. Not to mention your build process is longer, and that proper certificates cost money (self-signed is next to useless).

So, unless your company policy forces you to, don't sign jars on the server side, and keep common jars in signed and non-signed versions (signed go to the client-side deployment, non-signed go to server-side codebase).

Ran Biron
  • 6,317
  • 5
  • 37
  • 67
  • Why is it CPU-bound? I think checking the CRLs is an online action and depends much on the Internet connection speed, probably focussing on latency there. – Thomas Weller Mar 16 '15 at 13:53
  • When you load a signed jar file, a process called "verification" takes place. Both signing and verification are expensive because cryptographic algorithms have to be executed in order to perform the operation, whatever it is. However: expensive in relation to not signing / not verifying. I mean: the elapsed time may or may not be an issue, depending on circumstances. – Richard Gomes Jul 06 '16 at 00:05
  • This is terrible, terrible advice. – PopKernel Oct 17 '17 at 16:13
  • @PopKernel wow. way to raise up the dead. My original answer is _almost_ 10 years old. But... why is it a "terrible, terrible advice"? Honestly, I've been away from that world of jar signing for the last 7 years, so I have no idea of any progress or issues that may have occurred. However, it seems like the basic premise I based my answer on should still be in effect. – Ran Biron Oct 18 '17 at 16:30
  • @RanBiron almost zero jar files are signed these days. If you’re on a Mac at least, you have to trudge through multiple dialogs to disarm Gatekeeper just to open a jar. Also, unsigned jars are much more likely to be phishbait, and could even be rewritten in mid-download by a malicious actor. It also breaks Java Web Start, which probably makes an Oracle executive somewhere really sad. – PopKernel Oct 18 '17 at 21:30
  • @PopKernel Wow. erm. wow. ok. So basically - you said that client-side jars should be signed. I agree (well, there are exceptions, but mostly I agree). However, the OP asked about jars for server-side applications - which is what my answer is about. I truly am sorry for you bricking your mac - that's the danger of beta OS I guess. Usually I try to use VMs for such things and leave the host OS on a stable version. – Ran Biron Oct 20 '17 at 04:16
  • @RanBiron I apologize, I haven't been getting enough sleep. My sleep deprived brain thought it funny/satirical to suggest I was angry about something clearly so self-inflicted, but rereading it now I just sound salty. Don't worry, that Mac already was frequently failing to boot before I installed the betas. The events I described did occur though, and were just as bizarre as they sounded. The biggest detail I left out was that I was working for the school paper-- that's half the reason I went through all that effort. – PopKernel Oct 20 '17 at 04:24
  • @RanBiron also, you're right, I misread OP. This question is the top SO result for the Google search "Should I sign jar files" so I misread it as pertaining to all jar files, though I imagine I'm not the only one who's ever misread this question given the title. – PopKernel Oct 20 '17 at 04:28
3

Signing a jar file, just like using certificates in other contexts, is done so that people using it know where it came from. People may trust that Chris Carruthers isn't going to write malicious code, and so they're willing to allow your applet access to their file system. The signature gives them some guarantee that the jar really was created by you, and not by an impostor or someone they don't trust.

In the case of server-side or library jars, there's usually no need to provide that kind of guarantee to anybody. If it's your server, then you know what jars you're using and where they came from, and you probably trust your own code not to be malicious.

super_aardvark
  • 1,825
  • 1
  • 14
  • 19
3

A good reason could be if you never wanted anybody to be able to sneak in modfied classes to be called by your code.

Unfortunately that includes yourself :-D So this is only to be done if you really need it. Check the "sealed jar" concept.

Thorbjørn Ravn Andersen
  • 73,784
  • 33
  • 194
  • 347
1

In terms of applets: From 6u10, the Sun JRE replace the warning banner with less obtrusive (from 6u12, IIRC) warning triangle (necessary to support shaped and transparent windows). 6u10 also allows controlled file access through the JNLP services API.

The principle of least privilege says that you should not sign the classes of your jar files. Security is not necessarily easy.

Simply showing a certificate dialog box should not be construed to mean that the entire contents of a web page is to be trusted.

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305