Leggevo la pagina man per la jarsigner
strumento fornito con JDK. Questa linea mi ha sorpreso:
A verification is still considered successful if none of the files that were in the JAR file when the signature was generated have been changed since then, which is the case if the hashes in the non-header sections of the .SF file equal the hashes of the corresponding sections in the manifest file.
Questo non ha senso per me. Non è possibile che un utente malintenzionato nasconda un codice dannoso in un file jar già firmato?
Aggiornamento: ecco un esempio di questo scenario. Sembra che jarsigner contrassegni il jar come contenente file aggiuntivi, ma continua a considerarlo verificato.
=> jar -cf twelfthnight.jar TwelfthNight.html
=> keytool -genkey -alias signFiles -keystore examplestore
=> jarsigner -keystore examplestore twelfthnight.jar signFiles
Enter Passphrase for keystore:
jar signed.
Warning:
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-10-16) or after any future revocation date.
=> jarsigner -verify twelfthnight.jar
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-10-16) or after any future revocation date.
Re-run with the -verbose and -certs options for more details.
=> jar uf twelfthnight.jar Hamlet.html
=> jarsigner -verify twelfthnight.jar
jar verified.
Warning:
This jar contains unsigned entries which have not been integrity-checked.
This jar contains entries whose certificate chain is not validated.
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-10-16) or after any future revocation date.
Re-run with the -verbose and -certs options for more details.