I have been searching online about Java Jar signing concepts for some time now to understand what is actually happening when one actually signs his/her jar file.I have looked into various articles pertaining to this , however i ended up reading ones with complex jargons which were not simple to understand. It would be really helpful if you can explain the concept in simple terms / provide any reference link.
My prime objective is to reverse engineer a signed jar file (by whatever means , such as editing the class files within the jar at byte-code level ) to convert it into a working , non-error throwing unsigned jar file.
Please guide me if my approach is not right or if the above mentioned process is not possible.
Thanks in advance.
Generally speaking signing includes the following steps:
The result ("the signature") can then be verified by anyone who has the public key. Usually the signature is packaged in a data structure that contains the public key and infos about the algorithms that were used for signing.
Signed jar files contain two additional files in the META-INF folder (open the jar file with 7-Zip or whatever file archiver you prefer to see the content), for example:
META-INF/BCKEY.DSA
META-INF/BCKEY.SF
The ".SF" file contains hash values for every file in the jar:
Signature-Version: 1.0
Created-By: 1.5.0_08 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: TCwFll9z+7/6t/SlEoKf3a1SEKU=
SHA1-Digest-Manifest: tbYd5vvo/j3yIenDqYs8xdPRv4c=
Name: org/bouncycastle/asn1/ua/DSTU4145BinaryField.class
SHA1-Digest: LwFPLRwMlgwj7TOKYsDtqhS6+lE=
Name: org/bouncycastle/asn1/DEREnumerated.class
SHA1-Digest: DLc3+IOaSG+cgzW+u4KUbgyypWA=
Name: org/bouncycastle/asn1/x509/SubjectKeyIdentifier.class
SHA1-Digest: v08rbVIhc3KGIL/JlpIPqwQTvgI=
...
The ".DSA" file contains the signature and additional information in PKCS#7 format. The file extension depends on the key algorithm (".DSA", ".RSA" or ".EC").
"BCKEY" is just a name for the signature (usually the first 8 characters of the key alias used for signing). There might be several pairs of signature files in the META-INF folder.
The documentation of jarsigner contains a short passage about those files, it is titled "The Signed JAR File".
So, if you want to remove the signature from a jar file, you simply have to delete all ".SF" and ".RSA"/".DSA"/".EC" files.