I want to verify a already signed .jar File. For this i need the public key which is stored in the certificate in the .rsa file. How do i get the certificate from the .rsa file which was generated with the jarsigner
Related Questions in JAVA
- I need the BIRT.war that is compatible with Java 17 and Tomcat 10
- Creating global Class holder
- No method found for class java.lang.String in Kafka
- Issue edit a jtable with a pictures
- getting error when trying to launch kotlin jar file that use supabase "java.lang.NoClassDefFoundError"
- Does the && (logical AND) operator have a higher precedence than || (logical OR) operator in Java?
- Mixed color rendering in a JTable
- HTTPS configuration in Spring Boot, server returning timeout
- How to use Layout to create textfields which dont increase in size?
- Function for making the code wait in javafx
- How to create beans of the same class for multiple template parameters in Spring
- How could you print a specific String from an array with the values of an array from a double array on the same line, using iteration to print all?
- org.telegram.telegrambots.meta.exceptions.TelegramApiException: Bot token and username can't be empty
- Accessing Secret Variables in Classic Pipelines through Java app in Azure DevOps
- Postgres && statement Error in Mybatis Mapper?
Related Questions in RSA
- Are there poor practices in this use of python cryptography package to generate RSA keypair?
- OpenSSL3.0 RSA Signature Verification in C
- Mbed TLS: in-place en-/decryption for OAEP doesn't seem to work
- Converting C# RSA private key into a form BCrypt can understand
- RSASSA-PSS signature verification fails dues to padding with mbedtls but succeeds in Python
- Encrypt and Decrypt File Using PHP
- Expo: RSA decrypt huge performance drop after updating from SDK 47 to 50
- regex for [2,4,p^t,2p^t] where p is prime and t is any positive integer
- Missing Private Key after updating Node
- Cont:Use a RSA public key to generate the corresponding private key in OpenSSL?
- RSA decrypt failed
- Unable to load RSA-PSS public key in iOS using SecKeyCreateWithData
- Sign data with RSA
- PyInstaller - ModuleNotFoundError: No module named 'rsa'
- How can I generate an x509 RSA-PSS certificate with openssl whose trailer field contains the value 0xBC meet the RFC8017
Related Questions in JARSIGNER
- Can't install after recompiled android code
- jarsigner keeps on working after code signing certificate expired and openwenstart is also ok with it?
- How to sign jar by jarsigner from Gradle task?
- Read out Ca Certificate from .RSA File in Java
- Terminate Linux script if jarsigner verifies a jar that is unsigned
- Move a Xamarin Android native app from VS2022 to VSCode
- jarsigner default signature algorithm fails
- Sign a JAR file using Jenkins Pipeline
- .NET MAUI Android Build Fails on GitHub Actions with jarsigner.exe Exited with Code 1
- JAR signing stops someone from modifying a JAR, but what stops someone from swapping the JAR with their own that they've signed, or is unsigned?
- Ensure all Jar files that are run, are signed, and are signed by me?
- Looking for help to use Google Cloud HSM with jarsigner to sign jar files
- JAR Signing Java using digital certificate
- Why do I get "no manifest." and "jar is unsigned." when doing "jarsigner -verify -verbose -certs" for my APK
- Signed apk unable to install in Android 12
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
The
META-INF/{signer}.RSAentry in a signed jar is a PKCS7 detached signature which among other things contains the certificate chain needed to verify the{signer}.SFentry and thereby (indirectly) the jar contents. If you havejarsigneryou also havekeytool-- which can read certs from a PKCS7, and can even find the PKCS7 in a signed jar, so just dokeytool -printcert -jarfile whatever.jar -rfcto get all the certs (each) in PEM format. Save them somewhere like a file or the clipboard, and select the first cert (i.e. PEM block) from the 'Signature' group (not 'Timestamp', if present) with an editor or GUI or whatever. The result can be read with anything that accepts a PEM certificate; e.g. if you want to code in Java, doCertificateFactory.getInstance("X.509")then call.generateCertificate()on anInputStreamthat reads this file or data.There are many other tools that handle PEM certs, which are offtopic here, and many libraries you can use in programs, which (probably) are, but far too many to fit in an SO answer.
Compare https://security.stackexchange.com/questions/178936/how-to-verify-sha256-fingerprint-of-apk (Android APK format is nearly the same as Java JAR) which obtains the certificates but only displays some human-readable info not the publickey; that's why I added
-rfcin the command above.However, having the cert (or pupblickey) is not enough to verify anything. You also need the 'SignerInfo' from the PKCS7, which may simply contain the (here RSA+hash) signature of the
{signer}.SFentry, or it may contain the (again RSA+hash) signature or a 'signedAttributes' structure which in turn contains the digest of{signer}.SFand both must be verified. Those are harder. In addition the certificate should be validated to make sure it's not fake, or substituted (even if this was a jar you signed yourself, someone who tampers the contents can also tamper the signature to make it appear valid if you don't validate the certs). For that seeCertificatePathValidatorand I've seen existing Qs on it you could look at.