如何找到已签名的Jar文件的发布者?

huangapple go评论144阅读模式
英文:

How to find publisher of a signedJar file?

问题

我有几个已签名的 JAR 文件。我可以使用 jarsigner 验证签名。如何找到 JAR 文件的发布者?我想检查该 JAR 文件是否由适当的受信任证书进行了签名。

英文:

I have few jar files that are signed. I am able to verify the signing using jarsigner. How do I find the publisher of the jar file? I would like to check if the jar file is signed by the appropriate trusted certificate.

答案1

得分: 2

简短回答:使用 jarsigner -verify -verbose -certs some.jar

通过使用 -verbose-certs 参数,jarsigner -verify 的输出将包括 JAR 文件中每个签名者的证书信息。如果使用了 X509 证书,那么信息中将包括签名者的可分辨名称信息。

以下是从手册页面中提取的示例输出:

jarsigner -keystore /working/mystore -verify -verbose -certs myTest.jar
          198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF
          199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF
         1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA
          208 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.SF
         1087 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.DSA
   smk   2752 Fri Sep 26 16:12:30 PDT 1997 Tst.class
     X.509,CN=Test Group,OU=Java Software,O=Oracle,L=CUP,S=CA,C=US(javatest)
     X.509,CN=Jane Smith,OU=Java Software,O=Oracle,L=cup,S=ca,C=us(jane)
     s = 签名已验证
     m = 条目列在清单中
     k = 密钥库中找到至少一个证书
   jar 已验证。

当然,签名机构的“适当性”只能由人类判断。

英文:

Short answer: use jarsigner -verify -verbose -certs some.jar.

The -verbose and -certs, the output of jarsigner -verify will include certificate information for each of the signers found in the JAR file. If X509 certs were used, then the information includes the distinguished name information for the signer.

Here is some example output taken from the manual page:

jarsigner -keystore /working/mystore -verify -verbose -certs myTest.jar
          198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF
          199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF
         1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA
          208 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.SF
         1087 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.DSA
   smk   2752 Fri Sep 26 16:12:30 PDT 1997 Tst.class
     X.509, CN=Test Group, OU=Java Software, O=Oracle, L=CUP, S=CA, C=US (javatest)
     X.509, CN=Jane Smith, OU=Java Software, O=Oracle, L=cup, S=ca, C=us (jane)
     s = signature was verified
     m = entry is listed in manifest
     k = at least one certificate was found in keystore
   jar verified.

Of course, the "appropriateness" of a signing authority can only be judged by a human.

huangapple
  • 本文由 发表于 2020年1月30日 19:15:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/59984765.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定