Log in

View Full Version : JAR Signing Issue


Velos
June 4th, 2010, 07:43
Dear friends,

I have a problem in patching java-based software. I have decompiled it, made necessary changes, compiled it again and made JAR archive.

The problem is that original JAR was signed, so application does not start due to verification problems.

I do have .csr file (certificate request), .key file (private key) and .crt file (certificate). How can I sign this JAR archive? Is it possible at all?

Thanks!

Harakiri
June 4th, 2010, 08:06
http://mindprod.com/jgloss/jarsignerexe.html

however, creating your own private key/self signed certificate wont help much, you still have to ultimate trust your self signed public key in the keystore of your java runtime

alternatively just remove the signature - you dont need a signed jar file to run it (ok, it depends, some crypto providers need to be signed)

Velos
June 4th, 2010, 08:39
Quote:
[Originally Posted by Harakiri;86721]however, creating your own private key/self signed certificate wont help much, you still have to ultimate trust your self signed public key in the keystore of your java runtime

I want to sign it with 'original' certificate, not with my one. I have that certificate, I have private key also. The question is how to import them into keystore and then use in jarsigner.

Harakiri
June 4th, 2010, 09:17
Quote:
[Originally Posted by Velos;86722]I want to sign it with 'original' certificate, not with my one. I have that certificate, I have private key also. The question is how to import them into keystore and then use in jarsigner.



sorry, i cant help lazy people - i provided a link which contains all references and further documentation to your issue

Velos
June 4th, 2010, 12:12
Quote:
[Originally Posted by Harakiri;86723]sorry, i cant help lazy people - i provided a link which contains all references and further documentation to your issue

Well... Actually I have performed a lot of researches before asking... Quite useful link is this one:
http://www.agentbob.info/agentbob/79-AB.html

And I think it's not a big problem to help other people when they need help. Nobody knows everything, and obvious things for one person could be challenging to other. It's not a reason to call somebody lazy.

disavowed
June 4th, 2010, 12:53
Quote:
[Originally Posted by Velos;86722]I want to sign it with 'original' certificate


http://lmgtfy.com/?q=%22sign+with+a+certificate%22

You'll see the following:

"Well, you don't sign with a certificate" (the very first hit)
"You cannot sign with a certificate since it only contains the public key"
"remember you do not sign with a certificate"


You were called lazy above because you clearly didn't use Google before asking your question.

Velos
June 4th, 2010, 13:20
Thanks for your post. I also have the private key that is used to sign JARs. Of course, standard tools do not allow to import it to the keystore, but I was sure it's possible.

ronnie291983
June 6th, 2010, 23:54
The easiest way to remove this is by simply deleting the two files called the“SIGNFILE.DSA” and “SIGNFILE.DSF” in the “META-INF” directory.

Velos
June 7th, 2010, 02:10
Quote:
[Originally Posted by ronnie291983;86741]The easiest way to remove this is by simply deleting the two files called the“SIGNFILE.DSA” and “SIGNFILE.DSF” in the “META-INF” directory.


I have tried that, but it doesn't help. When software is starting, I get JAR verification exception...

ronnie291983
June 7th, 2010, 02:22
what kind of exception is it:

java.lang.SecurityException ?

Velos
June 7th, 2010, 12:21
I have successfully signed my jar with private key and certificate. Thanks for help! The issue is solved