 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / January 2007Verifying signed jar files from C
I have a double-clickable application (for both Windows and Mac OS X) written in Java (stored in jar files) that uses a native launcher written in C to start a JVM and run a particular class's main() contained in one of the jar files. I want to sign the jar files at build-time and later verify them at run-time to ensure they haven't been altered. I want to do the verification as part of the launcher written in C because somebody could still modify the jar files and either leave them unsigned or resign them with his own self-signed certificate. I've done a lot of Google searches and I haven't been able to find any information on doing what I want. (I only find stuff on signing applets and verifying jar files with the jarsigner command-line tool.) Can I do what I want and, if so, how? - Paul > I want to sign the jar files at build-time and later verify them at run-time > to ensure they haven't been altered. I want to do the verification as part > of the launcher written in C because somebody could still modify the jar > files and either leave them unsigned or resign them with his own self-signed > certificate. I don't follow why you want to do this. If the jar files can be altered, why not C object code also? If the jar files are obtained from somewhere else, why not have a local jar that does the signature verification? Tom Hawtin > > I want to sign the jar files at build-time and later verify them at run-time > > to ensure they haven't been altered. I want to do the verification as part [quoted text clipped - 4 lines] > I don't follow why you want to do this. If the jar files can be altered, > why not C object code also? It's much easier to obfuscate the object code produced by a C compiler than it is to obfuscate the Java code. - Paul >>> I want to sign the jar files at build-time and later verify them at run-time >>> to ensure they haven't been altered. I want to do the verification as part [quoted text clipped - 6 lines] > It's much easier to obfuscate the object code produced by a C compiler than > it is to obfuscate the Java code. So I just modify rt.jar to intercept classes as they are loaded. Your system cracked in a tiny fraction of the time it took to write it. Tom Hawtin > > It's much easier to obfuscate the object code produced by a C compiler than > > it is to obfuscate the Java code. > > So I just modify rt.jar to intercept classes as they are loaded. Your > system cracked in a tiny fraction of the time it took to write it. I don't see how altering rt.jar helps you. The C launcher checks that the application's jars haven't been altered even before a JVM is constructed. - Paul > I don't see how altering rt.jar helps you. The C launcher checks that the > application's jars haven't been altered even before a JVM is constructed. So a malicious cracker is free to inspect and doctor them after that... Tom Hawtin > > I don't see how altering rt.jar helps you. The C launcher checks that the > > application's jars haven't been altered even before a JVM is constructed. > > So a malicious cracker is free to inspect and doctor them after that... While the application is running? - Paul Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.