Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

can we resign the already signed jars in java?

Tags:

I've a .jar file with an old signature and want to resign it with a new signature. Is it possible?

If it is possible: how to do it?

like image 489
GuruKulki Avatar asked Jan 29 '10 15:01

GuruKulki


People also ask

Is JAR file already compiled?

A . jar file contains compiled code (*. class files) and other data/resources related to that code. It enables you to bundle multiple files into a single archive file.


2 Answers

If the signature is not one you own, you would need to unjar the jar first.

Like so (assume unix, translate to dos otherwise):

jar xvf JarName.jar

rm -rf META-INF

jar cvf JarName.jar *

Now you need to run jarsigner to sign the jar

jarsigner -keystore /yourkeystoredirectory/mystore -storepass yourpass
      -keypass yourkeypasswd JarName.jar keyname

If you don't have a keystore, you can create one with keytool.

like image 95
Chris Kannon Avatar answered Sep 23 '22 09:09

Chris Kannon


I found a better solution on https://www.chemaxon.com/forum/viewpost35555.html#35555

  1. Remove files with ".SF" or ".RSA" extension from the META-INF folder inside the jar.
  2. Delete signing checksums from META-INF/MANIFEST.MF: each "Name" and "SHA1-Digest" fields should be deleted from META-INF/MANIFEST.MF.

A more comprehensive documentation can be found on the oracle documentation: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File (for example there can be ".DSA" files in the META-INF folder, and files beginning with "SIG-" )

like image 33
Nicolas Avatar answered Sep 22 '22 09:09

Nicolas