I'm looking for a way to read the code signing/certificate information form JAR files.
Actually, I do want to know about the jar:
I'm thinking of calling the jarsigner
as exec via Java and parse its command line output to retrieve this information, but that looks awful after starting right now.
Is there any other way to get this information?
I know validation could be done by some approaches I've seen here, but what about the information I do want to get?
You could try to use Jar package to read manifest file. https://docs.oracle.com/javase/7/docs/api/java/util/jar/package-summary.html
There are information in Oracle docs how to validate if files were tempered with https://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Signature_Validation
I'm not sure how to check certificate tho.
Update
According to documentation you can get certificate and timestamp information jusing Jar utils package https://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html#APIENHANCE.
Check https://www.programcreek.com/java-api-examples/java.util.jar.JarEntry SecNav.java example (getting certificate and codesigner for Jar entries).