 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / December 2007jar signing
Hi All, I made the jar signer using the following commands in the build.xml <!-- For Signed Jars --> <property name="alias" value="pluginsigner"/> <property name="storepass" value="gis123"/> And <target name="sign" description="To sign the jars..." depends = "jar"> <signjar jar="${basedir}\DcvBuild\dcvclient.jar" alias="${alias}" storepass="${storepass}"/> </target> It generates the signed jar successfully. But its not giving any security to it. By using the decompiler I generated the jad file and modified and saved that file as .java and recompiled generated source file. I replaced the old .class file with new .class file. and made the jar file. I replaced the old jar(signed) with new jar file. I am to run my application with new jar file. Is it possible to restrict the modification in the signed jar file. and also my requirement is not to allow the application to run with new jar. Is it possible. Can you please suggest me. Thanks in advance... Regards, Srinivas. ... >It generates the signed jar successfully. But its not giving any >security to it. ... 1) Signing a jar does not inherently 'give security' to it. A signed applet will prompt the user to allow full permissions, but they can always refuse. A signed web start app. will only get extra permissions if it requests them by specifying j2ee-application-client-permissions or all-permissions in the JNLP file (and the user agrees). A regular app. does not have a security manager, and code signing will not be checked. 2) So, are you running this as a standard application? If that is the case, you might get the effect you want by launching it using web start, which I presume would notice the changed code, the invalid signature, and reject it. BTW - did you run the code signing tools 'information mode' on the second jar, to ask if it was correctly signed?  SignatureAndrew Thompson http://www.physci.org/ >... >>It generates the signed jar successfully. But its not giving any >>security to it. ... ... >BTW - did you run the code signing tools 'information mode' >on the second jar, to ask if it was correctly signed? Ahh yes, there it is. jarsigner -verify [ options ] jar-file <http://java.sun.com/javase/6/docs/technotes/tools/windows/jarsigner.html#Options SignatureAndrew Thompson http://www.physci.org/ > srinivas.veera...@gmail.com wrote: > [quoted text clipped - 23 lines] > > Message posted viahttp://www.javakb.com Hi, I am running my application as a standalone app. How can i restrict this using web start. Can u plz suggest me? What about the jobfuscate? Is it works for this. I tried with this but but its not generating output jar. I am unable to process any files using jobfuscate eventhought I set classpath. Regards, Srinivas. >> srinivas.veera...@gmail.com wrote: ... >I am running my application as a standalone app. How can i restrict >this using web start. After posting that comment, I realised that would be pointless. If someone 'wraps up' an application in webstart, it is trivial to 'unwrap it' and use it as a plain application again. >Can u plz suggest me? Can you please spell words properly? This is not some SMS/text message where we need to restrict the message to just '90 characters'. >What about the jobfuscate? .. I have never used obfuscators. From what I hear, they are good for compressing bytecodes, and they make an app. a little harder to reverse engineer, but not impossible. What does this application do? Can the critical parts of the application be moved to a server? SignatureAndrew Thompson http://www.physci.org/ Here is the ANT I use for a simple Jar build and sign. <target name="jar" depends="compile"> <genjar jarfile="${jar.file}"> <!-- include main class and all its dependencies --> <class name="${main.class}" /> <!-- define the manifest --> <manifest> <attribute name="Main-Class" value="${main.class}" /> </manifest> </genjar> <!-- S I G N --> <!-- get _your_ password from set jarsignerpassword=sesame --> <!-- get _your_ code-signing certificate from set cert=mindprodcert2007aprdsa --> <property environment="env" /> <signjar jar="${jar.file}" alias="${env.cert}" storepass="${env.jarsignerpassword}" /> </target> SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com >It generates the signed jar successfully. But its not giving any >security to it. You might want to examine the jar with Winzip to make sure all the pieces you expected are really in there. See http://mindprod.com/jgloss/jar.html http://mindprod.com/jgloss/jarsignerexe.html SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com >Is it possible to restrict the modification in the signed jar file. >and also my requirement is not to allow the application to run with >new jar. What do you mean by that.? Signing means nobody else can modify your jar without losing your signature. What else do you need? SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > On Tue, 18 Dec 2007 02:15:58 -0800 (PST), srinivas.veera...@gmail.com > wrote, quoted or indirectly quoted someone who said : [quoted text clipped - 8 lines] > Roedy Green Canadian Mind Products > The Java Glossaryhttp://mindprod.com Hi, My actual requirement is to restrict the decompiler process. I signed the jar, but Im able to decompile the .class file and and I can generate the .java file. I wanna restrict this process. If I use the Jobfuscate I ll achieve my requirement. But Im unable to generate the jar file even I set the classpath before executing the jobfoscate command. I generated the jar file using the build.xml. can i apply jobfuscate command to that generated jar file which contains the main method class. This is the client side jar only. Is it possible to include jobfoscate command in the build.xml. Thanks in advance.. Srinivas. >My actual requirement is to restrict the decompiler process see http://mindprod.com/jgloss/obfuscator.html SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > jobfoscate >command. I had never heard of jobfuscate before. I googled it. http://www.duckware.com/jobfuscate/index.html it is an obfuscator than seems to work on class files rather than complete jars as is traditional. It renames class files. I would just build the jar as before just using the renamed file. see http://mindprod.com/jgloss/ant.html http://mindprod.com/jgloss/jarexe.html http://mindprod.com/jgloss/jarsigner.html SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > Signing means nobody else can modify your > jar without losing your signature. That's not quite right. Your original signature will remain, but it will no longer correspond with the signature generated at verification time for any changed files. So the verification step will fail. On Sun, 30 Dec 2007 06:00:30 GMT, EJP <esmond.not.pitt@not.bigpond.com> wrote, quoted or indirectly quoted someone who said : >> Signing means nobody else can modify your >> jar without losing your signature. > >That's not quite right. Your original signature will remain, but it will >no longer correspond with the signature generated at verification time >for any changed files. So the verification step will fail. In other words the jar will no longer be signed. Using an analogy, digitally signing is like sealing with sealing wax and your signet ring. If somebody tampers, the wax seal will be broken. The term "sealing" is often used in computing still to mean some way of freezing a collection from changes. SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com On Sun, 30 Dec 2007 07:35:30 GMT, Roedy Green <see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted someone who said : >The term "sealing" is often used in computing still to mean some way >of freezing a collection from changes. see http://mindprod.com/jgloss/seal.html SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > In other words the jar will no longer be signed. No, in other words the signature will no longer be *valid*. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.