Signatures

(Editorial note: this has to be augmented to use locked and signed versions also in package managers, see also e.g. https://blog.tidelift.com/the-state-of-package-signing-across-package-managers)

Signing JAR Files

If there is source code with authentication, authorization, or other security functions that is to be deployed to endpoints, it must be bundled, sealed, and signed in a separate JAR file.

Examples:

For sealing, the header "Sealed" must first be entered in the manifest:

Name: Porsche/Package/ Sealed: true

The JAR file is then signed

jarsigner -keystore keystore -signedjar SignedPackage.jar org.jar certAlias

Checking Signature

If source code with authentication, authorization, or other security functions resides in a signed JAR file, then a separate class loader must be written to check the validity of the JAR file's signature.

Examples:

Example of a custom invokeClass method

public void invokeClass(String name, String[] args)
throws ClassNotFoundException, NoSuchMethodException,
InvocationTargetException, GeneralSecurityException,
IOException {
   Class c = loadClass(name);
   Certificate[] certs = c.getProtectionDomain().getCodeSource().getCertificates();
   if (certs == null) {
// return, do not execute if unsigned
System.out.println("No signature!");
return;
   }
   KeyStore ks = KeyStore.getInstance("JKS");
   ks.load(new FileInputStream(System.getProperty(
"user.home"+ File.separator + "keystore.jks")),
"loadkeystorepassword".toCharArray());
   // user is the alias
   Certificate pubCert = ks.getCertificate("user");
   // check with the trusted public key, else throws exception
   certs[}}{{0}}{{].verify(pubCert.getPublicKey());
}