Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to programatically sign JARs?

0 views
Skip to first unread message

baref...@my-deja.com

unread,
Jan 29, 2001, 11:30:50 PM1/29/01
to
Hello,

I'm having a problem determining how to programatically sign JAR
files. The application I'm working on creates JAR files at runtime
that are then deployed to various places on the net. Obviously these
should be signed, but I'm having difficulty determining how to do this
in a (relatively) painless manner.
I understand the process of key generation, importing certificates,
verification, etc., just fine using the "keytool" and "jarsigner"
command-line utilities, but I've seen/heard nothing about how to
accomplish the same task programatically.

Here are the possibilities I've considered:

1. Using reflection to invoke the main method in
sun.security.tools.JarSigner (The class that does all the work for the
jarsigner utility). I've tried this and I keep getting the following
exception :
java.lang.IllegalArgumentException: wrong number of arguments
at java.lang.reflect.Method.invoke(Native Method)
As I am passing in an object of type String[] (I've tried an object
of type Object[] that contains the correct Strings as well), I don't
see how this is possible. Is invoking the main method via reflection
forbidden somehow (I've never attempted it before)?

2. Using java.lang.Runtime's "exec(String[] cmdArray)" to invoke the
jarsigner tool in its own process. I haven't tried this yet, but
consider it <extremely> bad practice because then the application is
platform-dependent, and the jarsigner binary must be in your system's
path. Moreover, there is nothing to prevent someone from supplanting
the jarsigner binary with their own insidious version of it, to
accomplish whatever nefarious deeds they have in mind. Like annoying
me. :)

3. I have successfully de-compiled sun.security.tools.JarSigner, but I
believe this is a no-no, as I can't find the source or any
documentation on the classes in this package on Sun's web site. If
this is even legal (which I have my doubts about), I could re-work this
class to accomplish the task before me. Even if it is legal, this
solution is somewhat distasteful (visions of a class
called "JarSigner2" dancing in my head). And no, I can't just use this
class as is because it is laced with System.exit's.

If you've read this far, you MUST be mildly interested in this problem
(or really, REALLY bored)--I'd love to hear any thoughts/suggestions
that anyone may have.

Thanks in advance,

Joe Barefoot

Sent via Deja.com
http://www.deja.com/

Roedy Green

unread,
Jan 30, 2001, 2:29:55 PM1/30/01
to
On Tue, 30 Jan 2001 04:30:50 GMT, baref...@my-deja.com wrote or
quoted :

>If you've read this far, you MUST be mildly interested in this problem

Why are you up to? Why are you signing jars on production line basis?
Usually this is something done at a development site where the
platform is known as last step before shipping the product out the
door. Multiplatformness is not important.


Are you creating some tools?

--
Answers to the four most frequent questions:
Please consult the Java glossary:
1) for conversion problems, see "conversion". .
2) for I/O problems, see the "File I/O Amanuensis" and "File".
3) if you want to create a *.exe, see "native compiler".
4) if you are new to Java, see "getting started"
For the JAVA GLOSSARY see http://www.mindprod.com/jgloss.html
or http://209.153.246.39/jgloss.html
--
Roedy Green, Canadian Mind Products
Custom computer programming since 1963

0 new messages