What's the point of signing code, like jars?

Question

What is the point of signing your code like Java's jars when everyone can do it with jarsigner? How does it provide security?

Answer 1

The point of signing a JAR file is to verify that it has not been tampered with. Once a jar file is signed you can verify that this file hasn't been modified by someone else. This ensures that the file originates from the person that originally signed it. If someone has modified the file in-between the signature verification process will fail. You may check this article for more details on how public key cryptography could be used to perform digital signature.

Answer 2

When you sign a jar file you can show that it was you that signed it and not someone else.

It's the same idea when you sign a document - only you can write your signature. Other people can sign it, but they'll sign it with their signature, not yours.

With hand-written signatures a skilled forger can learn to copy your signature. With digital signatures it is much more difficult to make a copy because you need to get that person's private key. Without the private key you cannot make a signature that looks like theirs.