Search code examples
javareverse-engineeringcode-signingkeytooljarsigner

Converting a signed jar file to working non-error throwing unsigned jar file by reverse engineering

I have been searching online about Java Jar signing concepts for some time now to understand what is actually happening when one actually signs his/her jar file.I have looked into various articles pertaining to this , however i ended up reading ones with complex jargons which were not simple to understand. It would be really helpful if you can explain the concept in simple terms / provide any reference link.

My prime objective is to reverse engineer a signed jar file (by whatever means , such as editing the class files within the jar at byte-code level ) to convert it into a working , non-error throwing unsigned jar file.

Please guide me if my approach is not right or if the above mentioned process is not possible.

Thanks in advance.

Solution

  • Generally speaking signing includes the following steps:

    1. Create a hash value over the data to be signed
    2. Do a private key operation operation on the hash value

    The result ("the signature") can then be verified by anyone who has the public key. Usually the signature is packaged in a data structure that contains the public key and infos about the algorithms that were used for signing.

    Signed jar files contain two additional files in the META-INF folder (open the jar file with 7-Zip or whatever file archiver you prefer to see the content), for example:

    META-INF/BCKEY.DSA
META-INF/BCKEY.SF

    The ".SF" file contains hash values for every file in the jar:

    Signature-Version: 1.0
Created-By: 1.5.0_08 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: TCwFll9z+7/6t/SlEoKf3a1SEKU=
SHA1-Digest-Manifest: tbYd5vvo/j3yIenDqYs8xdPRv4c=

Name: org/bouncycastle/asn1/ua/DSTU4145BinaryField.class
SHA1-Digest: LwFPLRwMlgwj7TOKYsDtqhS6+lE=

Name: org/bouncycastle/asn1/DEREnumerated.class
SHA1-Digest: DLc3+IOaSG+cgzW+u4KUbgyypWA=

Name: org/bouncycastle/asn1/x509/SubjectKeyIdentifier.class
SHA1-Digest: v08rbVIhc3KGIL/JlpIPqwQTvgI=

...

    The ".DSA" file contains the signature and additional information in PKCS#7 format. The file extension depends on the key algorithm (".DSA", ".RSA" or ".EC").

    "BCKEY" is just a name for the signature (usually the first 8 characters of the key alias used for signing). There might be several pairs of signature files in the META-INF folder.

    The documentation of jarsigner contains a short passage about those files, it is titled "The Signed JAR File".

    So, if you want to remove the signature from a jar file, you simply have to delete all ".SF" and ".RSA"/".DSA"/".EC" files.