Verify Error After Using unpack200

Question

I got problem when trying to load a jar that has been compressed using pack200. I found the error that my jar file cannot be verified after I use unpack200.

Here is the scenario:

1. Create keystore keytool -keystore key -genkey -alias hj
2. Sign the jar jarsigner -keystore key HelloJApplet.jar hj
3. Compress that jar file: pack200 HelloJApplet.jar.pack.gz HelloJApplet
4. Uncompress and rename: unpack200 HelloJApplet.jar.pack.gz HelloJAppletUnpack.jar
5. Verify the jars: jarsigner -verify HelloJApplet.jar and jarsigner -verify HelloJAppletUnpack.jar

For the HelloJApplet.jar it showed jar verified. and for HelloJAppletUnpack.jar it showed an error jarsigner: java.lang.SecurityException: SHA-256 digest error for org/ff/ffw/app/ HelloJApplet.class

Anything wrong with what I do so far? Please correct me what point that I'm missing or wrong.

Answer 1

To sign a pack200 jar, you need to pack+unpack (i.e. repack), sign and pack again. see http://wiki.eclipse.org/Pack200#Compression_and_Signing or http://www.java.net/node/679859

pack200 --repack b.jar a.jar
sign b.jar

(p.s. there was a bug in 5.0 and fixed in 5.0u1. upgrade if needed)