I'm wanting to sign a jar using jarsigner, then verify it using a Java application which does not have the signed jar as part of it's classpath (i.e. just using a filesystem location of the jar)
Now my problem is getting the signature file out of the jar, is there a simple way to do this?
I've had a play with the Inflater and Jar InputStreams with no luck.
Or is this something that can be accomplished in a better way?
Thanks
The security Provider implementation guide outlines the process of verifying JARs. Although these instructions are for a JCA cryptographic service provider to verify itself, they should be applicable to your problem.
Specifically, check out the verify(X509Certificate targetCert) method in the sample code, "MyJCE.java".