ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From T E Schmitz <>
Subject Re: [signjar] prevent double signing
Date Thu, 04 Nov 2004 14:03:33 GMT
Hello Ivan,

Ivan Ivanov wrote:

> --- T E Schmitz <> wrote:

>>I'm still looking to find out if you can determine
>>whether a jar file is already signed or not.

> In fact there is a way, but I do not know how it will
> work with Ant: jarsigner command line tool has -verify
> option. When run on signed jar:
> jarsigner -verify signed.jar
> it echoes 
> jar verified
> and when run on unsigned jar
> jarsigner -verify unsigned.jar
> it echoes
> jar is unsigned. (signatures missing or not parsable).

That's strange. This is not the output I'm getting (I'm using Sun's SDK
1.4.2_01 on Win2K).

For an unsigned jar, jarsigner returns:
"jarsigner: java.lang.IllegalStateException: zip file closed"

For a signed jar, jarsigner returns:
"Note: This jar contains unsigned entries which are not
integrity-checked. Re-run with -verbose to list unsigned entries."
When I look at the MANIFEST, I find that all the classes in the jar are
signed but not the directories.

> Next idea that comes to me is that your third party
> jars are not likely to changed every day. So why don't
> you list them explicitly and exclude them when you
> call <signjar> task?

That's what I am doing just now - I was just wondering whether there
might have been a better solution I had overlooked.

Like you, I keep the 3rd party jars in a separate directory. But some of
them are already signed by Sun and mustn't be signed again when used
with Java WebStart. The unsigned 3rd party jars, however, have to be signed.



Tarlika Elisabeth Schmitz

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message