can we resign the already signed jars in java?

Question

I've a .jar file with an old signature and want to resign it with a new signature. Is it possible?

If it is possible: how to do it?

Answer 1

If the signature is not one you own, you would need to unjar the jar first.

Like so (assume unix, translate to dos otherwise):

jar xvf JarName.jar

rm -rf META-INF

jar cvf JarName.jar *

Now you need to run jarsigner to sign the jar

jarsigner -keystore /yourkeystoredirectory/mystore -storepass yourpass
      -keypass yourkeypasswd JarName.jar keyname

If you don't have a keystore, you can create one with keytool.

Answer 2

I found a better solution on https://www.chemaxon.com/forum/viewpost35555.html#35555

1. Remove files with ".SF" or ".RSA" extension from the META-INF folder inside the jar.
2. Delete signing checksums from META-INF/MANIFEST.MF: each "Name" and "SHA1-Digest" fields should be deleted from META-INF/MANIFEST.MF.

A more comprehensive documentation can be found on the oracle documentation: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File (for example there can be ".DSA" files in the META-INF folder, and files beginning with "SIG-" )