View Full Version : JAR Signing Issue
Velos
June 4th, 2010, 07:43
Dear friends,
I have a problem in patching java-based software. I have decompiled it, made necessary changes, compiled it again and made JAR archive.
The problem is that original JAR was signed, so application does not start due to verification problems.
I do have .csr file (certificate request), .key file (private key) and .crt file (certificate). How can I sign this JAR archive? Is it possible at all?
Thanks!
Harakiri
June 4th, 2010, 08:06
http://mindprod.com/jgloss/jarsignerexe.html
however, creating your own private key/self signed certificate wont help much, you still have to ultimate trust your self signed public key in the keystore of your java runtime
alternatively just remove the signature - you dont need a signed jar file to run it (ok, it depends, some crypto providers need to be signed)
Velos
June 4th, 2010, 08:39
Quote:
| [Originally Posted by Harakiri;86721]however, creating your own private key/self signed certificate wont help much, you still have to ultimate trust your self signed public key in the keystore of your java runtime |
I want to sign it with 'original' certificate, not with my one. I have that certificate, I have private key also. The question is how to import them into keystore and then use in jarsigner.
Harakiri
June 4th, 2010, 09:17
Quote:
| [Originally Posted by Velos;86722]I want to sign it with 'original' certificate, not with my one. I have that certificate, I have private key also. The question is how to import them into keystore and then use in jarsigner. |
sorry, i cant help lazy people - i provided a link which contains all references and further documentation to your issue
Velos
June 4th, 2010, 12:12
Quote:
| [Originally Posted by Harakiri;86723]sorry, i cant help lazy people - i provided a link which contains all references and further documentation to your issue |
Well... Actually I have performed a lot of researches before asking... Quite useful link is this one:
http://www.agentbob.info/agentbob/79-AB.html
And I think it's not a big problem to help other people when they need help. Nobody knows everything, and obvious things for one person could be challenging to other. It's not a reason to call somebody lazy.
disavowed
June 4th, 2010, 12:53
Quote:
| [Originally Posted by Velos;86722]I want to sign it with 'original' certificate |
http://lmgtfy.com/?q=%22sign+with+a+certificate%22
You'll see the following:
"Well, you don't sign with a certificate" (the very first hit)
"You cannot sign with a certificate since it only contains the public key"
"remember you do not sign with a certificate"
You were called lazy above because you clearly didn't use Google before asking your question.
Velos
June 4th, 2010, 13:20
Thanks for your post. I also have the private key that is used to sign JARs. Of course, standard tools do not allow to import it to the keystore, but I was sure it's possible.
ronnie291983
June 6th, 2010, 23:54
The easiest way to remove this is by simply deleting the two files called the“SIGNFILE.DSA” and “SIGNFILE.DSF” in the “META-INF” directory.
Velos
June 7th, 2010, 02:10
Quote:
| [Originally Posted by ronnie291983;86741]The easiest way to remove this is by simply deleting the two files called the“SIGNFILE.DSA” and “SIGNFILE.DSF” in the “META-INF” directory. |
I have tried that, but it doesn't help. When software is starting, I get JAR verification exception...
ronnie291983
June 7th, 2010, 02:22
what kind of exception is it:
java.lang.SecurityException ?
Velos
June 7th, 2010, 12:21
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.
